AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


THE DEPARTMENT OF HOMELAND SECURITY: AN 
ASSESSMENT OF THE DEPARTMENT AND A 
ROADMAP FOR ITS FUTURE 


HEARING 

BEFORE THE 

COMMITTEE ON HOMELAND SECURITY 
HOUSE OF REPRESENTATDH]S 

ONE HUNDRED TWELETH CONGRESS 

SECOND SESSION 

SEPTEMBER 20, 2012 

Serial No. 112-119 


Printed for the use of the Committee on Homeland Security 



Available via the World Wide Web: http://www.gpo.gov/fdsys/ 


U.S. GOVERNMENT PRINTING OFFICE 
81-128 PDF WASHINGTON : 2013 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON HOMELAND SECURITY 

Peter T. King, New York, Chairman 


Lamar Smith, Texas 
Daniel E. Lungren, California 
Mike Rogers, Alabama 
Michael T. McCaul, Texas 
Gus M. Bilirakis, Florida 
Paul C. Broun, Georgia 
Candice S. Miller, Michigan 
Tim Walberg, Michigan 
Chip Cravaack, Minnesota 
Joe Walsh, Illinois 
Patrick Meehan, Pennsylvania 
Ben Quayle, Arizona 
Scott Rigell, Virginia 
Billy Long, Missouri 
Jeff Duncan, South Carolina 
Tom Marino, Pennsylvania 
Blake Farenthold, Texas 
Robert L. Turner, New York 


Bennie G. Thompson, Mississippi 
Loretta Sanchez, California 
Sheila Jackson Lee, Texas 
Henry Cuellar, Texas 
Yvette D. Clarke, New York 
Laura Richardson, California 
Danny K. Davis, Illinois 
Brian Higgins, New York 
Cedric L. Richmond, Louisiana 
Hansen Clarke, Michigan 
William R. Keating, Massachusetts 
Kathleen C. Hochul, New York 
Janice Hahn, California 
Ron Barber, Arizona 


Michael J. Russell, Staff Director I Chief Counsel 
Kerry Ann Watkins, Senior Policy Director 
Michael S. Twinchek, Chief Clerk 
1. Lanier Avant, Minority Staff Director 


(H) 



CONTENTS 


Page 

Statements 

The Honorable Peter T. King, a Representative in Congress From the State 

of New York, and Chairman, Committee on Homeland Security 1 

The Honorable Bennie G. Thompson, a Representative in Congress From 
the State of Mississippi, and Ranking Member, Committee on Homeland 
Security 3 

Witnesses 

Mr. Richard L. Skinner, Former Inspector General, Department of Homeland 
Security: 

Oral Statement 6 

Prepared Statement 7 

Mr. Stewart A. Baker, Former Assistant Secretary for Policy, Department 
of Homeland Security: 

Oral Statement 14 

Prepared Statement 15 

Mr. Frank J. Cilluffo, Former Principal Advisory to Governor Tom Ridge, 

White House Office of Homeland Security: 

Oral Statement 20 

Prepared Statement 22 

Mr. David C. Maurer, Director, Homeland Security and Justice, Government 
Accountability Office: 

Oral Statement 30 

Prepared Statement 32 

Appendix 

Questions From Chairman Peter T. King for Richard L. Skinner 63 

Questions From Chairman Peter T. King for Stewart A. Baker 64 

Questions From Chairman Peter T. King for Frank J. Cilluffo 64 

Questions From Chairman Peter T. King for David C. Maurer 65 


(III) 




THE DEPARTMENT OF HOMELAND SECURITY: 
AN ASSESSMENT OF THE DEPARTMENT 
AND A ROADMAP FOR ITS FUTURE 


Thursday, September 20, 2012 

U.S. House of Representatives, 

Committee on Homeland Security, 

Washington, DC. 

The committee met, pursuant to call, at 10:07 a.m., in Room 311, 
Cannon House Office Building, Hon. Peter T. King [Chairman of 
the committee] presiding. 

Present: Representatives King, Lungren, Rogers, McCaul, Bili- 
rakis. Miller, Walberg, Marino, Turner, Thompson, Jackson Lee, 
Cuellar, Richardson, Richmond, Clarke of Michigan, and Hahn. 

Chairman King. Okay. Good morning. The Committee on Home- 
land Security will come to order. The Ranking Member has been 
delayed, but he will be here. His staff has suggested that we start 
the hearing, since our witnesses are here. 

The committee is meeting today to examine the current state of 
the Department of Homeland Security — oh, the Ranking Member is 
here, thank you — and the solution to the future. I will now recog- 
nize myself for an opening statement. 

I want to thank each of the witnesses for being here today. I be- 
lieve all of you have testified here before. Mr. Baker has done dou- 
ble duty, also, by being in the Department testifying and now com- 
ing back. He is also a noted author. Again, it is great to have all 
of you here today. 

This, I think we always try to keep this committee as bipartisan 
as possible. But I would say that today’s hearing will probably be 
the essence of bipartisanship because everyone on the committee 
wants the Department to succeed. All of us believe that progress 
has been made. 

There are questions, of course, of where more progress can be 
made where there are still deficiencies. Each of you is an expert 
on the issues so we really look forward to your testimony. I know 
since September 11 we had four Islamist attacks or attempted at- 
tacks within the United States. In addition to that, there have been 
dozens of disrupted terrorist attacks against the homeland. 

Just in the last 2 years alone we have had a series of them, in- 
cluding bomb plots against the Capitol Building. There was a 
young man arrested in Chicago last week. So this is an on-going 
threat against the United States. I think the fact that none of these 
attacks has succeeded is at least partially due to the efforts of the 
Department of Homeland Security and also how it fits into the 

( 1 ) 



2 


overall counterterrorism matrix that has heen established since 
September 11. 

Now, the current unrest in the Middle East involving radicals 
and affiliates of al-Qaeda further underscores how threats from 
that part of the world impact our counterterrorism efforts to pre- 
vent weapons of mass destruction from getting into the hands of 
those who want to kill Americans in the homeland. 

Now, during the 112th Congress, this committee has examined 
a series of issues. Obviously, there was a lot of publicity and noto- 
riety, or interest, in the hearings we had on the issue of 
radicalization in the Muslim-American community, steps to address 
the issue. But we also had a series of other hearings, including cy- 
bersecurity, hardening our critical infrastructure, protecting chem- 
ical facilities. 

The operations of TSA, Chairman Rogers has been especially ac- 
tive on that. That is an area of particular concern to us on both 
sides of the aisle as far as making the TSA more efficient and also 
more effective. Also, what it can do to, again, improve its image. 
Not in the sense of image, but in gaining the confidence of the 
American people, which it has not been able to do. 

Also, we have looked into issues regarding reforms to the Depart- 
ment — in its management, improve employee morale, cut red tape, 
save taxpayer dollars. Also emergency communications, the effec- 
tive administration of Homeland Security grants, reduce our vul- 
nerability to attacks on the homeland using lEDs such as the 
Times Square car bomb. 

Also the whole issue of border security along the land and mari- 
time borders. We look forward to building on this oversight. But 
this hearing today, and your testimony, can, I believe, help guide 
us in the right direction and provide a more coherent framework 
for us. 

As we consider the road map for DHS, some of the questions we 
have is: How can the Department use scarce taxpayer dollars? Be- 
cause unlike after 9/11, when basically the money that was felt was 
needed was given, the fact is that we do face budget restraints. I 
believe, in too many cases there has been too much money cut from 
the Department of Homeland Security. 

Whether I like it or not or the Ranking Member likes it or not, 
for the foreseeable future that is the reality that DHS is going to 
have to face. Even if the cuts are not as severe in the future as 
they have been over the last several years, it is going to be a very, 
very tight, tight budget no matter what. 

So how can the Department use the taxpayers’ dollars more wise- 
ly? How effective are the Department’s efforts to counter violent ex- 
tremism? To what extent is DHS able to work with our allies over- 
seas? To what extent have they become a player in the intelligence 
community, both here and overseas? 

Also, just what recommendations that you believe the Depart- 
ment should make to strengthen the overall homeland security of 
the United States. Now, there has been progress made in a lot of 
areas. I am sure you are going to touch on that, and all sides can 
agree that there has been progress made. Certainly involving 
FEMA, involving strategic and operational plans, allocating fund- 



3 


ing based on risk, raising public awareness about the importance 
of reporting suspicious activity. 

Yet there is so much more work to be done as far as integrating 
management functions, strengthening information technology and 
financial management, improving contracting and acquisition prac- 
tices and controls, ultimately establishing a biometric exit screen- 
ing system, securing the border using objective measures, enforcing 
penalties against immigration violators, exercising authority to se- 
cure chemical facilities, developing a risk-based approach to screen- 
ing airline passengers, strategically managing risks and assessing 
program performance. 

Also, I think one thing we all agree on is that Congress has to 
undertake its own reform. If we are going to be able to effectively 
oversee the Department of Homeland Security, we can’t have this 
number of committees and subcommittees — depending on what 
number you want to use, it is in the eighties or nineties, it is more 
than 100 of committees, subcommittees — commissions, boards that 
the Department has to report to, often giving the same testimony, 
just to a different set of Members of Congress; some of whom are 
just interesting in getting their spot on the evening news on a com- 
mittee that has, at best, tangential association with the Depart- 
ment of Homeland Security. 

So that is really our burden and not yours. But any testimony 
you could give us to strengthen our case for both sides of the aisle 
would be greatly appreciated. So I want to thank all of you for 
being in here today. I look forward to your testimony. This will be, 
I assume, the last full committee hearing of the year; certainly 
until after the recess. 

I want to thank the Ranking Member. We haven’t always agreed, 
but I believe we have been able to work in a collegial way. I say, 
that is all Members on the committee. Considering the divisions 
that there have been in Congress over the past 2 years, while 
mayhe everything isn’t perfect on this committee I think we can 
say we have done, I think, as well if not better than almost any 
other committee in Congress in trying to find ways to work to- 
gether. 

So with that softball approach, I am recognizing the Ranking 
Member, the distinguished gentleman from Mississippi, for his 
opening statement. 

Mr. Thompson. Thank you very much. Chairman King. I do 
agree with you on your last statement. We, I think, have set the 
bar for a lot of other committees on our ability to work. I look for- 
ward to continuing to work with you on that. 

But there are differences, and I think from time to time those 
differences are reflected. But the greatness of this country is that 
people who differ can still come together for the common good. We 
do that. Again, thank you for holding this hearing. 

In March 2003 the Federal Government stood up the Department 
of Homeland Security in response to the separate 2001 terrorist at- 
tack. Today, the Department of Homeland Security is the third- 
largest agency in the Federal Government, employing about 
220,000 people and operating both domestically and internation- 
ally. 



4 


Prior to the September 2001, the United States used various ap- 
proaches to handle catastrophic dangers, including National Guard 
involvement, law enforcement, and emergency management. But 
the events of 2001 forced us to begin a process aimed at the devel- 
opment of a cohesive homeland security policy. 

Over the last 10 years, the concept of homeland security has 
evolved and expanded. While the need to address terrorism re- 
mains central to our understanding of homeland security, we now 
understand that homeland security must include other catastrophic 
incidents. We must remain concerned about the risks that may 
threaten the lives of our people. 

But we cannot fail to recognize those things that may threaten 
the strength of our democracy, the vitality of our economy, as well 
as the continuation of public and private-sector activities that im- 
pact our daily lives. From critical infrastructure protection to cy- 
bersecurity, the evolution and expansion of our understanding of 
homeland security has required us to ask the Department about 
risk assessment, strategic development, and operational priorities. 

From my vantage point, the ability to come to grips with these 
questions of risk strategy and operations has formed a core of the 
Department’s struggles as well as form the basis for its successes. 
So as we begin to discuss the Department’s road map to the future, 
we must acknowledge that its presence on GAO’s high-risk list re- 
mains a continuing cause for concern. 

The importance of the Department’s high-risk designation, and 
its ability to implement its plans to resolve the transformation and 
integration issues that continue to hamper its development into a 
cohesive organizational unit, cannot be understated. For several 
years, I have noted the need to strengthen the ability of the under 
secretary for management to require and enforce uniform adminis- 
trative practices and procedures through each component. 

It seems to me that the lack of power in the management office 
will continue to permit ineffective and inconsistent practices in pro- 
curement and personnel throughout the components. We see the re- 
sults of these inconsistencies each time we learn about wasted 
money. We read about the fallout of these inconsistent practices 
every year when a Department ends up near the bottom of OPM’s 
annual survey of employee satisfaction. 

So as we consider the road map forward, let us be sure to con- 
sider how the Department can achieve the mission, and improve its 
internal operations. The biggest challenge, however, is whether 
Congress will fully fund Homeland Security efforts as opposed to 
slashing the Homeland Security budget as proposed by the Major- 
ity. 

While the threat to homeland security has not diminished, the 
Department of Homeland Security has been required to do more 
with less. The fiscal 2012 Homeland Security appropriations short- 
changed homeland security from border security to aviation secu- 
rity, science, and technology. In particular, the management direc- 
torate and the budget environment for fiscal year 2013 has not 
changed. 

In fact, it may have worsened. I would like to also say at this 
point that Congress hasn’t been really helpful in some of these sit- 
uations because we have not, when I was chair — and now Chair- 



5 


man King, since he is back — been able to convince our leadership 
that a consolidated jurisdiction for the Department of Homeland 
Security would be in the best interests of this country. 

I think we still agree on that, right? 

Chairman King. Absolutely. 

Mr. Thompson. Okay. Just checking. So I want to make sure 
that everybody understands that as long as jurisdiction is split the 
Department is tasked with responding to over 100 committees and 
subcommittees on this Hill. That is just too much. So I look for- 
ward to hearing from our witnesses on these and other issues as 
we discuss the path forward for the Department. 

I yield back the balance of my time. 

Chairman King. I thank the Ranking Member for his statement 
and for yielding back. Also emphasize again that we stand as one 
on the whole issue of jurisdictional consolidation. It makes abso- 
lutely no sense, the current situation; absolutely none whatsoever. 

As I mentioned before, we are pleased to have a distinguished 
panel of witnesses before us today on this vital topic. It is, again, 
a privilege to have you here today once again. Let me begin with 
Mr. Richard Skinner, who was the first Senate-confirmed inspector 
general of the Department of Homeland Security. He served in that 
capacity from 2008 to early 2011. 

He has held managerial positions in various agencies throughout 
the Federal Government, including FEMA, the Department of Agri- 
culture, the Department of Justice, the Department of Commerce 
and the State Department. In 1998, he received the President’s 
meritorious executive rank award for superior accomplishment in 
management programs of the United States Government. 

I would just say, as Chairman and as former Ranking Member, 
your testimony before our committee has always been extremely 
helpful. I think we would agree, totally nonpartisan and in the best 
interests of the country. 

With that, the gentleman’s recognized for 5 minutes. 

Mr. Thompson. If the gentleman will yield, we agree on that, too. 

[Laughter.] 

STATEMENT OF RICHARD L. SKINNER, FORMER INSPECTOR 
GENERAL, DEPARTMENT OF HOMELAND SECURITY 

Mr. Skinner. Well, thank you very much and good morning. 
Chairman King and Ranking Member Thompson. It is good to see 
everyone again. It is truly an honor to be here today, and I really 
thank you very much for this opportunity. 

Since its inception in 2003, the Department has worked to ac- 
complish the largest reorganization of the Federal Government in 
more than a half a century. This task has presented many chal- 
lenges. While it is making progress, the Department still has much 
to do to be a cohesive, efficient, and effective organization. 

Today, I would like to talk about four often-overlooked manage- 
ment support functions that constitute the platform upon which the 
Department’s programs must operate and are critical to the suc- 
cessful accomplishment of the Department’s mission. That is finan- 
cial management, IT management, acquisition management, and 
grants management. 



6 


Concerning financial management, in 2011 the Department was 
again unable to obtain an opinion on its financial statements. Nu- 
merous material internal control weaknesses were again reported. 
Although it has reduced the number of material weaknesses and 
has received a qualified audit opinion on its consolidated balance 
sheet and custodial activity, it is unlikely this progress will con- 
tinue unless the Department modernizes its financial systems. 

Due to 2012 budget reductions — and also it looks like in 2013, as 
well — recent modernization initiatives have been on hold indefi- 
nitely. It is not clear now when the Department will resume its 
modernization strategy, nor is it clear whether these initiatives, if 
and when they are ever implemented, will ensure that financial 
management systems can generate reliable, useful, timely informa- 
tion for day-to-day decision-making. 

In the interim, the Department must continue to use archaic, un- 
reliable systems to manage its financial resources. Also, the De- 
partment and its components are still struggling to upgrade and in- 
tegrate their respective IT infrastructures. According to recent OIG 
reports as recent as this past July, program and field offices con- 
tinue to develop information technology systems independently of 
the CIO, and have been slow to adopt the Department’s standard 
information technology development approach. 

As a result, critical systems are not integrated, do not meet user 
requirements, and do not provide the information technology capa- 
bilities that agency personnel and its external partners both in the 
Federal Government as well as the State and local levels need to 
carry out critical infrastructures in a timely, effective, and efficient 
manner. 

With regard to acquisition management. Secretary Napolitano 
and her executive team have demonstrated a genuine commitment 
to improve the Department’s acquisition management function. 
However, much work remains to be done. Most notably, the De- 
partment needs to identify and acquire the resources needed to ful- 
fill its acquisition management responsibilities. 

The urgency and complexity of the Department’s mission will 
continue to demand rapid pursuit of major investments in high- 
risk, complex acquisition programs. To effectively manage these 
large-dollar procurements, the Department will need a sustained 
commitment, increased resources, and smarter processes to admin- 
ister and oversee the contractors’ work. 

Finally, since its inception the Department has distributed over 
$18 billion through the Homeland Security Grant Program. Yet, ac- 
cording to an OIG report released earlier this year, the Department 
does not have a system in place to determine the extent that these 
funds enhance the State’s capabilities to prevent, deter, respond to, 
and recover from terrorist attacks, major disasters, and other emer- 
gencies. 

Consequently, the Department has been awarding Homeland Se- 
curity Grant funds to States each year for on-going programs with- 
out knowing the accomplishments from prior years’ fundings or the 
extent to which additional funds are needed to achieve desired re- 
sults. Strategic planning, performance measurement, and oversight 
are essential management controls to ensure that grant funds are 



7 


used for their intended purpose and that enhancements in pre- 
paredness capabilities are being achieved. 

Otherwise, it is impossible to determine whether annual invest- 
ments are actually improving our Nation’s homeland security pos- 
ture. In today’s economic climate, it is critical that the Department 
concentrate its limited resources on those threats that pose the 
greatest threat to the country. 

In summary, it is evident that the Department’s senior officials 
are well aware of these challenges and are attempting to remedy 
them. Yet they have actually made headway, Mr. Chairman, as you 
pointed out. The question is, however: Does the Department have 
the resolve and wherewithal to sustain those efforts? 

The ability of the Department to do so is fragile, not only because 
of the early stage of development of those efforts, but also because 
of the Government’s budget constraints and the current lack of re- 
sources to implement planned corrective actions. In today’s envi- 
ronment of large Government deficits and pending budget cuts, the 
new challenge will be to sustain the progress already made and, at 
the same time, continue to make necessary improvements. 

Unless the Department and Congress stay focused on these chal- 
lenges, it will be harder than ever to facilitate solutions to 
strengthen the Department’s critical management support func- 
tions and, ultimately, to ensure the success of the Homeland Secu- 
rity mission. 

Mr. Chairman, this concludes my prepared statement. I will be 
happy to answer any questions the committee may have. 

[The prepared statement of Mr. Skinner follows:] 

Prepared Statement of Richard L. Skinner 
September 20, 2012 

Good afternoon, Chairman Rogers, Ranking Member Thompson, and Members of 
the committee. It is truly an honor to be here today to discuss what the Department 
of Homeland Security needs to do in the years ahead to become a more efficient or- 
ganization. I thank you for this opportunity. 

Since its inception in 2003, the Department has worked to accomplish the largest 
reorganization of the Federal Government in more than half a century. This task, 
creating the third-largest Cabinet agency with the missions of protecting the coun- 
try against another terrorist attack, responding to threats and hazards, ensuring 
safe and secure borders, welcoming lawful immigrants and visitors, and promoting 
the free flow of commerce, has presented many challenges. While the Department 
has made progress over the past 9 years, it still has much to do to establish a cohe- 
sive, efficient, and effective organization. 

The OIG’s latest major management challenges report, dated November 10, 2011, 
continues to address a broad range of issues, including both program and adminis- 
trative challenges. In total, the OIG identified nine categories of challenges: Finan- 
cial Management, Information Technology Management, Acquisition Management, 
Grants Management, Emergency Management, Infrastructure Protection, Border 
Security, Transportation Security, and Trade Operations and Security. These are es- 
sentially the same management challenges that the the OIG reported as early as 
2006. Today, I would like to talk about four of those management challenges: 

• Financial management, 

• Information technology management, 

• Acquisition management, and 

• Grants management. 

These management support functions constitute the platform upon which the De- 
partment’s programs must operate and are critical to the successful accomplishment 
of the Department’s mission. Some of these challenges were inherited by the Depart- 
ment from the legacy agencies. Nevertheless, the complexity and urgency of the De- 



8 


partment’s mission have hampered its efforts to make sustainable progress in imple- 
menting corrective actions. 

Senior officials at the Department recognize the significance of these challenges 
and understand that addressing them will take a sustained and focused effort. They 
have, in fact, taken actions over the past several years to implement, transform, and 
strengthen the Department’s management support functions; albeit, in my opinion, 
at a snail’s pace. 


FINANCIAL MANAGEMENT 

Financial management has been and continues to be a major management chal- 
lenge for the Department since its creation in 2003. In fiscal year 2011, the Depart- 
ment was again unable to obtain an opinion on its financial statements, and numer- 
ous material internal control weaknesses were again reported. These weaknesses, 
due to their materiality, are impediments to obtaining a clean opinion and providing 
positive assurance over internal controls at the Department level. The Department 
has made progress from its early days, however. It has reduced the number of mate- 
rial weaknesses in internal controls from 18 to 5. It also received a qualified audit 
opinion on its consolidated balance sheet and custodial activity for the first time in 
fiscal year 2011. Unfortunately, unless the Department modernizes its financial sys- 
tems, it is unlikely this progress will continue. 

The Department twice unsuccessfully attempted to implement an integrated De- 
partment-wide financial management system, wasting millions of dollars. In 2007, 
the Department ended its first attempt, the Electronically Managing Enterprise Re- 
sources for Government Effectiveness and Efficiency system after determining it 
would not provide the expected functionality and performance. In 2011, the Depart- 
ment decided to change its strategy for financial system modernization. Rather than 
implement a Department-wide integrated financial management system solution, 
the Department decided to take a decentralized approach to financial management 
systems modernization at the component level. Specifically, the Department re- 
ported in its December 2011 strategy that it plans to replace financial management 
systems at three components it has identified as most in need, e.g., FEMA, USCG, 
and ICE. However, due to fiscal year 2012 budget reductions, these initiatives have 
been put on hold indefinitely. It is now not clear when the Department will resume 
its modernization strategy, nor is it clear whether this new, decentralized approach, 
if and whenever it is implemented, will ensure that components’ financial manage- 
ment systems can generate reliable, useful, timely information for day-to-day deci- 
sion making; enhance the Department’s ability to comprehensively view financial in- 
formation across the Department; and comply with related Federal requirements at 
the Department and its components. In the interim, the Department must continue 
to use archaic, unreliable systems to manage it financial resources, which is unfor- 
tunate, particularly in this day and age of budget austerity and the public demand 
for increased fiscal transparency and accountability. 

INFORMATION TECHNOLOGY MANAGEMENT 

According to recent OIG and GAO reports, DHS and its components are still 
struggling to upgrade or transition their respective IT infrastructures, both locally 
and enterprise-wide. 

Integrating the IT systems, networks, and capabilities of the various legacy agen- 
cies to form a single infrastructure for effective communications and information ex- 
change remains one of the Department’s biggest challenges. 

For example, on October 20, 2011, the Assistant IG for Emergency Management 
Oversight, Matt Jadacki, testified that FEMA’s existing information technology sys- 
tems do not effectively support disaster response activities. EEMA has not com- 
pleted its efforts to establish an enterprise architecture, and its IT strategic plan 
was not comprehensive enough to coordinate and prioritize its modernization initia- 
tives and IT projects. The plan did not include clearly-defined goals and objectives, 
nor did it address program office IT strategic goals. Without these critical elements, 
FEMA is challenged to establish an effective approach to modernize its information 
technology infrastructure and systems. 

According to Mr. Jadacki, there is not an adequate understanding of existing in- 
formation technology resources and needs throughout the agency. Specifically, 
FEMA’s Office of the Chief Information Officer (CIO) does not have a complete, doc- 
umented inventory of systems to support disasters. Eurther, program and field of- 
fices continue to develop information technology systems independently of the CIO 
and have been slow to adopt the agency’s standard information technology develop- 
ment approach. As a result, systems are not integrated, do not meet user require- 
ments, and do not provide the information technology capabilities agency personnel 



9 


and its external partners need to carry out disaster response and recovery oper- 
ations in a timely, effective, and efficient manner. 

Furthermore, according to a report issued recently by GAO, FEMA does not have 
an effective system to manage flood insurance and claims data, although it invested 
roughly 7 years and $40 million on a new system whose development has been halt- 
ed because it did not meet users’ needs. 

Most recently, on June 29, 2012, the Assistant IG for Information Technology Au- 
dits, Frank Deffer, reported that the information technology environment and the 
aging IT infrastructure within CBP does not fully support GBP’s mission needs. Ac- 
cording to Mr. Deffer, interoperability and functionality of the technology infrastruc- 
ture have not been sufficient to support CBP mission activities fully. As a result, 
CBP employees have created workarounds or employed alternative solutions, which 
may hinder CBP’s ability to accomplish its mission and ensure officer safety. 

Similar problems also have been reported at the Coast Guard, Citizen and Immi- 
gration Services, Immigration and Customs Enforcement, and Secret Service. Tech- 
nical and cost barriers, aging infrastructure that is difficult to support, outdated IT 
strategic plans to guide investment decisions, and stove-piped system development 
have impeded the Department’s efforts to modernize and integrate its IT systems, 
networks, and capabilities. 

Information Sharing 

The Homeland Security Act of 2002 makes coordination of homeland security com- 
munication with State and local government authorities, the private sector, and the 
public a key Department responsibility. However, due to time pressures, the Depart- 
ment did not complete a number of the steps essential to effective planning and im- 
plementation of the Homeland Security Information Network (HSIN) — the “sensitive 
but unclassified” system it instituted to help carry out this mission. For example, 
the HSIN and the Homeland Security State and Local Community of Interest sys- 
tems, both developed by DHS, are not integrated. As a result, users must maintain 
separate accounts, and information cannot easily be shared across the systems. 
State and local fusion center personnel expressed concern that there were too many 
Federal information sharing systems that were not integrated. As such, effective 
sharing of the counter-terrorist and emergency management information critical to 
ensuring homeland security remains an on-going challenge for the Department. Re- 
sources, legislative constraints, privacy, and cultural challenges — often beyond the 
control of the Department — pose obstacles to the success of the Department’s infor- 
mation-sharing initiatives. 

On a broader scale, the Department is also challenged with incorporating data 
mining into its overall strategy for sharing information to help detect and prevent 
terrorism. Data mining aids agents, investigators, and analysts in the discovery of 
patterns and relationships from vast quantities of data. The Homeland Security Act 
authorizes the Department to use data mining and tools to access, receive, and ana- 
lyze information. However, the Department’s data mining activities consist of var- 
ious stove-piped activities that use limited data mining features. For example, CBP 
performs matching to target high-risk cargo. The Secret Service automates the eval- 
uation of counterfeit documents. TSA collects tactical information on suspicious ac- 
tivities. ICE detects and links anomalies indicative of criminal activity to discover 
relationships. Without Department-wide planning, coordination, and direction, the 
potential for integrating advanced data mining functionality and capabilities to ad- 
dress homeland security issues remains untapped. 

ACQUISITION MANAGEMENT 

DHS has taken notable action to implement, transform, and strengthen its acqui- 
sition management capabilities. During my tenure as the IG of the Department, the 
Secretary and Deputy Secretary of Homeland Security, and other senior officials 
demonstrated a genuine commitment to improve the Department’s acquisition man- 
agement function. In its December 2011 strategy for high-risk management, the De- 
partment presented detailed plans to address a number of acquisition management 
challenges. However, much work remains to fully implement these plans and ad- 
dress these challenges. Most notably, the Department needs to identify and acquire 
the resources needed to implement its acquisition policies. 

OIG and GAO audits over the past 9 years have identified problems related to 
acquisition oversight, cost growth, and schedule delays, resulting in performance 
problems and mission delays, as illustrated by the problems the Department experi- 
enced with the Coast Guard’s Deepwater program, CBP’s SBINet program, FEMA’s 
flood map modernization program, and the CFO’s financial systems consolidation 
initiatives. Each of these efforts failed to meet capability, benefit, cost, and schedule 
expectations. For example, in June 2010 my former office reported that over half 



10 


of the programs we reviewed awarded contracts to initiate acquisition activities 
without component or Department approval of documents essential to planning ac- 
quisitions, such as mission need statements outlining the specific functional capa- 
bilities required to accomplish DHS’ mission and objectives; operational require- 
ments; and acquisition program baselines. Additionally, the OIG reported that only 
a small number of DHS’ major acquisitions had validated cost estimates. 

The urgency and complexity of the Department’s mission will continue to demand 
rapid pursuit of major investment programs. Between fiscal years 2003 and 2010, 
the Department spent about 40 percent of its budget through contracts. Although 
that figure may have decreased over the past 2 years, the Department will continue 
to rely heavily on contractors to accomplish its multifaceted mission and will con- 
tinue to pursue high-risk, complex acquisition programs. 

The Department must have an infrastructure in place that enables it to effectively 
oversee the complex and large-dollar procurements critically important to achieving 
its mission. 

Both the OIG and the GAO have reported that the Office of the Chief Procure- 
ment Officer needs more staff and authority to carry out its general oversight re- 
sponsibilities. The GAO recommended that the Department provide the Office of the 
Chief Procurement Officer sufficient resources and enforcement authority to enable 
effective. Department-wide oversight of acquisition policies and procedures. The OIG 
made a similar recommendation. 

Common Themes in Audits of Department Contracts 

Over the past several years, the OIG and GAO conducted numerous audits of in- 
dividual Department contracts, such as TSA’s information technology services, 
GBP’s SBInet program, the Coast Guard’s Deepwater program, and FEMA con- 
tracting. Common themes and risks emerged from these audits, primarily poor plan- 
ning, the dominant influence of expediency, poorly-defined requirements, and inad- 
equate oversight that contributed to ineffective or inefficient results and increased 
costs. To ensure that its acquisition programs are successful, the Department must 
lay the foundation to oversee and assess contractor performance, and control costs 
and schedules. This requires a sustained commitment, increased resources, and 
smarter processes to administer and oversee the contractors’ work. 

FEMA Procurements 

The Assistant IG for Emergency Management Oversight, Matt Jadacki, testified 
on October 20, 2011 that FEMA has developed and strengthened acquisition man- 
agement policies and processes, but it continues to face challenges. For example, 
weak internal controls have resulted in multi-million dollar contracts with vague 
and questionable requirements and no performance measures. Agency employees re- 
sponsible for managing and monitoring the contractors do not always receive writ- 
ten guidance or training on how to evaluate contractor performance or certify billing 
invoices. Continued improvements are needed in FEMA’s oversight of contracts. 

During my tenure as the IG, my office issued several reports recommending im- 
provements to FEMA’s acquisition processes. Those recommendations have resulted 
in policies and procedures on contract closeout, transferring contract files from one 
contracting officer to another, and labeling and organizing contract files so all con- 
tract actions are properly documented. 

In fiscal year 2010, FEMA deployed Disaster Assistance Employees to accelerate 
contract closeout efforts for the Disaster Relief Fund, de-obligating $1.2 billion. 
These contract closeout efforts continue annually and are in direct response to an 
OIG recommendation. I was pleased to learn that FEMA has created Disaster Ac- 
quisition Response Teams, whose focus on contract administration and oversight of 
large disaster contracts is much needed. My office also reported FEMA’s need for 
an overarching sourcing strategy. Headquarters, regional, and local FEMA rep- 
resentatives were ordering goods without communicating with their counterparts at 
other locations. This resulted in goods ordered that were not needed, purchased 
from the wrong source, or at the wrong time. My former office recommended that 
FEMA adopt the single-point ordering concept, to coordinate all sourcing decisions 
through the Lomstics Section. As a result of this recommendation, FEMA piloted the 
single-point ordering concept during its response to Hurricane Irene. 

Strategic Sourcing 

The Department can improve management of its strategic sourcing. In March 
2011, the OIG reported that the Department did not have a logistics process in place 
to facilitate strategic sourcing of detection equipment. Strategic sourcing would re- 
quire that management standardize equipment purchases for explosive, metal, and 
radiation detection equipment; identify common mission requirements among com- 
ponents; and develop standard data elements for managing the inventory accounts 



11 


of detection equipment. Improving its management of detection equipment will offer 
the Department opportunities to streamline the acquisition process and improve ef- 
ficiencies. 

Acquisition 'Workforce 

DHS made progress in the recruitment and retention of a workforce capable of 
managing a complex acquisition program. At the time of my retirement on March 
1, 2011 the number of procurement staff had more than doubled since 2005. In addi- 
tion, participation in the Acquisition Professional Career Program, which seeks to 
develop acquisition leaders, increased 62 percent from 2008 to 2010. Nevertheless, 
DHS continues to face workforce challenges across the Department. For example, 
according to GAO, the Coast Guard reduced its acquisition workforce vacancies from 
approximately 20 percent to 13 percent, and had filled 832 of its 951 acquisition po- 
sitions as of November 2010. Although acquisition workforce vacancies have de- 
creased, program managers have on-going concerns about staffing program offices. 
Also, according to its August 2010 human-capital staffing study, program managers 
reported concerns with staffing adequacy in program management and technical 
areas. To make up for shortfalls in hiring systems engineers and other acquisition 
workforce positions for its major programs, the Coast Guard must use contractors. 

Likewise, according to the OIG’s Major Management Challenges report, dated No- 
vember 2011, acquisition staff turnover in FEMA has exacerbated file maintenance 
problems and resulted in multimillion-dollar contracts not being managed effectively 
or consistently. One of FEMA’s challenges is hiring experienced contracting officers 
to work disaster operations. The majority of FEMA staff at a disaster site work on 
an on-call, intermittent basis, and, oftentimes, they lack the training and experience 
to manage large disaster response and recovery contracts. 

FEMA also has made great strides in improving its contracting officer’s technical 
representative (COTR) cadre. FEMA has designated staff to oversee the COTR pro- 
gram; developed a tiered system which ties training requirements to dollar values 
of contracts a COTR can monitor; and established an intranet site containing tools 
for COTR use. However, many trained COTRs have never been assigned a contract 
and are unsure of their ability to be effective. And, although they represent the con- 
tracting officer, the COTRs’ appraisals are completed by their supervisors in the 
program offices for which they work, rather than the applicable contracting officer, 
thus leading to divided loyalties. 

Finally, the Department has not fully planned for or acquired the workforce need- 
ed to implement its acquisition oversight policies. According to a GAO report issued 
in February 2011, the Department needs to continue its efforts to: (1) Identify and 
acquire resources needed to achieve key actions and outcomes; (2) implement a pro- 
gram to independently monitor and validate corrective measures; and (3) show 
measurable, sustainable progress in implementing corrective actions and achieving 
key outcomes. The Department needs to demonstrate sustained progress in all of 
these areas to strengthen and integrate the acquisition management functions 
throughout the Department. 

Knowledge Management and Information Systems 

According to the OIG’s annual Major Management Challenges report, the Depart- 
ment has made progress in deplo 3 dng an enterprise acquisition information system 
and tracking key acquisition data. The Department’s acquisition reporting system 
of record, known as nPRS (next-Generation Periodic Reporting System), tracks com- 
ponents’ major acquisition investments. It also has capabilities to store key acquisi- 
tion documents, earned value management information, and risk identification. 
Component personnel are responsible for entering and updating information, which 
includes cost, budget, performance, and schedule data. However, components did not 
complete and report all key information in nPRS. The GIG reported that only 7 of 
17 programs (41%) reported Acquisition Program Baseline required milestones. 
These milestones establish the acquisition cost, schedule, and performance values. 
Only 13 (76%) programs reviewed contained required key documentation such as 
mission needs statements, acquisition plans, operational requirements documents, 
and integrated logistics support plans. 

In addition, the Department reported in its December 2011 strategy for high-risk 
management that senior executives are not confident enough in the data to use the 
Department’s Decision Support Tool which was developed to help make acquisition 
decisions, address problems meeting cost or schedule goals, and prepare for program 
review meetings. 

Although the Department continues to make progress in improving its acquisition 
management, it remains a significant challenge, in part because of the magnitude 
of the number, dollar value, and complexity of its acquisition activity. 



12 


GRANTS MANAGEMENT 


Disaster Grants Management 

FEMA oversees billions of dollars in disaster grant funds each year, and, due to 
the environment under which these funds are administered, they are highly vulner- 
able to fraud, waste, and abuse. To illustrate, during fiscal years 2010 and 2011, 
the OIG’s audits of 105 disaster grants identified $365 million in questionable cost 
and funds that could be put to better use. The extent of the fraud, waste, and abuse 
that the OIG uncovers year after year in the disaster relief program, for the past 
20 years, is unacceptable, and it needs to be vigorously addressed. Yet FEMA still 
has not developed a robust program to curtail fraud, waste, and abuse within its 
disaster relief programs. 

Preparedness Grants Management 

During fiscal years 2002 through 2011, FEMA distributed over $18 billion through 
the Homeland Security Grant Program. According to an OIG report released this 
past July, FEMA does not have a system in place to determine the extent that 
Homeland Security Grant Program funds enhanced the States’ capabilities to pre- 
vent, deter, respond to, and recover from terrorist attacks, major disasters, and 
other emergencies. Also, FEMA does not require States to report progress in achiev- 
ing milestones as part of the annual application process. As a result, when annual 
application investment justifications for individual continuing projects are being re- 
viewed, FEMA does not know whether prior year milestones for the projects have 
been completed. FEMA also does not know the amount of funding required to 
achieve needed preparedness and response capabilities. 

Furthermore, according to the OlG’s annual Major Management Challenges re- 
port, dated November 2011, FEMA continues to face challenges in mitigating redun- 
dancy and duplication among preparedness grant programs, including barriers at 
the legislative, departmental, and State levels. The preparedness grant application 
process is ineffective because FEMA does not compare and coordinate grant applica- 
tions across preparedness programs. Since grant programs may have overlapping 
goals or activities, FEMA risks funding potentially duplicative or redundant 
projects. 

Public Law 110-53, Implementing Recommendations of the 9/11 Commission Act 
of 2007, required the OIG to audit individual States’ management of State Home- 
land Security Program and Urban Areas Security Initiatives grants and annually 
submit to Congress a report summarizing the results of these audits. In the audits 
completed to date, the OlG concluded that the States have generally done an effi- 
cient and effective job of administering the grant management program require- 
ments, distributing grant funds, and ensuring that all the available funds were 
used. 

However, on March 20, 2012, the assistant inspector general for audits testified 
that FEMA needs to make improvements in strategic management, performance 
measurement, and oversight. According to Ms. Richards, FEMA needs to improve 
its guidance on strategic plans for State Homeland Security Grants. While current 
guidance for State Homeland Security strategic plans encourages revisions every 2 
years, the language is such that it does not require revisions to be made — it is just 
strongly encouraged. Consequently, many States have outdated strategic plans, and 
many do not have Homeland Security strategic plans with goals and objectives that 
are specific, measurable, achievable, results-oriented, and time-limited. Without 
some form of measurable goal or objective, or a mechanism to objectively gather re- 
sults-oriented data. States have no assurance of the level of effectiveness of their 
preparedness and response capabilities. Also, States are less capable of determining 
progress toward goals and objectives when making funding and management deci- 
sions. The OIG reported deficiencies in strategic planning in 15 of the 20 State au- 
dits completed as of March 2012. 

In regard to performance measurement, Ms. Richards said that FEMA needs to 
improve its guidance on establishing metrics and measuring performance. The OIG 
continues to report that many States have not received proper guidance and, con- 
sequently, have not adequately documented or tracked their progress and perform- 
ance. Providing guidance on the appropriate metrics and requiring those metrics to 
be documented would provide the States with tools to help them understand the ef- 
fectiveness of each grant program. FEMA also needs to strengthen its guidance on 
reporting progress in achieving milestones as part of the States’ annual program 
justifications. Because of insufficient information on milestones and program accom- 
plishments, FEMA has been annually awarding Homeland Security Grant Program 
funds to States for on-going programs without knowing the accomplishments from 
prior years’ funding or the extent to which additional funds are needed to achieve 



13 


desired capabilities. Tracking accomplishments and milestones are critical elements 
in making prudent management decisions because of the evolving, dynamic changes 
that can occur between years or during a grant’s period of performance. OIG audits 
reported problems with performance measurement in 19 of 20 State audits com- 
pleted as of March 2012. 

Finally, Ms. Richards said that FEMA needs to improve its oversight to ensure 
the States are meeting their reporting obligations in a timely manner to ensure 
FEMA has the information it needs to make program decisions and oversee program 
achievements. Further, FEMA needs to improve its oversight to ensure that States 
are compl 3 dng with Federal regulations in regard to procurements and safeguarding 
of assets acquired with Federal funds. In its annual audits of the State Homeland 
Security Program, the OIG repeatedly found weaknesses in the States’ oversight of 
grant activities. 'Those weaknesses include inaccuracies and untimely submissions 
of financial status reports; untimely allocation and obligation of grant funds; and 
not following Federal procurement, property, and inventory requirements. Delays in 
the submission of Financial Status Reports hampers FEMA’s ability to effectively 
and efficiently monitor program expenditures and prevents the State from drawing 
down funds in a timely manner, ultimately affecting the effectiveness of the pro- 
gram. 

Strategic planning, performance measurement, and oversight are important man- 
agement controls for FEMA to ensure that Federal funds are used for their intended 
purpose and that enhancements in preparedness capabilities are being achieved. 
Without a bona hde performance measurement system, it is impossible to determine 
whether annual investments are actually improving our Nation’s homeland security 
posture. Furthermore, without clear, meaningful performance standards, FEMA 
lacks the tools necessary to make informed funding decisions. In today’s economic 
climate, it is critical that FEMA concentrate its limited resources on those threats 
that pose the greatest risk to the country. 

While some aspects of the Department’s management support challenges were in- 
herited from the Department’s legacy agencies, the complexity and urgency of the 
Department’s mission has oftentimes exacerbated the Department’s ability to ad- 
dress them in a disciplined and effective manner. 

It is evident that the Department’s senior officials are well aware of these chal- 
lenges and are attempting to remedy them, and they have actually made some head- 
way. The question is, however: Does the Department have the resolve and where- 
withal to sustain those efforts? The ability of the Department to do so is fragile, 
not only because of the early stage of development that the initiatives are in, but 
also because of the Government’s budget constraints and the current lack of re- 
sources to implement planned corrective actions. In today’s environment of large 
Government deficits and pending budget cuts, the new challenge will be to sustain 
the progress already made and at the same time continue to make the necessary 
improvements that are critical to the success of the Department’s management func- 
tions. 

Unless the Department and Congress stay focused on these challenges, it will be 
harder than ever to facilitate solutions to strengthen the Department’s management 
support functions and, ultimately, its homeland security mission. 

Mr. Chairman, this concludes my prepared statement. I will be pleased to answer 
any questions you or the Members may have. 

Chairman King. Thank you very much, Mr. Skinner, for your 
testimony. 

Our next witness, Stewart Baker, is a partner in the law office 
of Steptoe & Johnson here in Washington, DC. I first met Mr. 
Baker when he was the first assistant secretary for policy at the 
Department of Homeland Security. In that role, he led a staff of 
250 people and was responsible for the Department-wide policy 
analysis as well as the Department’s affairs, strategic planning, 
and relationships with law enforcement and public advisory com- 
mittees. 

Other than that, he had nothing to do. It was a 48-hour-a-day 
job, and Secretary Baker did an outstanding job. He was named 
the top lawyer in international security by 'Washingtonian maga- 
zine in 2011, and is an exceptionally distinguished attorney and 
public servant. 



14 


I am privileged to recognize Secretary Baker for 5 minutes. 

STATEMENT OF STEWART A. BAKER, FORMER ASSISTANT SEC- 
RETARY FOR POLICY, DEPARTMENT OF HOMELAND SECU- 
RITY 

Mr. Baker. Thank you, Chairman King, Ranking Member 
Thompson. It is a pleasure to be back here. I have almost recovered 
from my time in Government. You have seen my prepared testi- 
mony. What I thought I would do is just touch on three areas 
where the Department has big challenges, and actually challenge 
myself to give the Department a grade. So I will give the Depart- 
ment a grade on these things. 

On the question of unity, coordination, making the Department 
work as a whole, I think a C-minus is the best the Department can 
get. It gets that because we have had three strong Secretaries in 
a row who will not be denied when they are paying attention, the 
components, the Department act more or less as a whole. But the 
spotlight of Secretarial attention is not the only place that coordi- 
nation has to take place. 

Outside that spotlight, we are not seeing the coordination that is 
necessary. Probably more important in times of tough budgets than 
any other because we can no longer afford duplication of effort or 
initiatives that may meet a particular component’s priorities but 
don’t fit into the overall National priorities that the Secretary is 
setting. 

I think Ranking Member Thompson pointed out how important 
it is that we have a cohesive Department. I couldn’t agree more, 
and we are not there and not even close. As I think the Chairman 
pointed out, having 100 oversight committees means there is one 
committee in each body that actually wants a single policy to come 
out of the Department. 

Everybody else sees that the Secretary and the Secretary’s prior- 
ities as potentially getting in the way of their ability to oversee 
some component of the Department. So having reform of jurisdic- 
tion is absolutely essential if you are going to get that grade above 
a gentleman’s C-minus. 

Let me turn to something where I think the story is very good, 
in contrast, and where I would give the Department an A. That is 
in carrying out the vision of the Homeland Security Act, of think- 
ing seriously about keeping terrorists from crossing our borders. 
That used to be spread among three or four different agencies, and 
none of them thought that was their most important mission. 

Putting all of those authorities in one place has led to a trans- 
formation of the way we think about border security. The way we 
have transformed that is in getting more data about the people 
who are coming across the border — whether it is the ESTA or PNR 
or the overseas interviews that Customs and Border Protection 
does, or for the first time — we actually know whether the people 
who are coming from other countries are criminals or not, some- 
thing we never knew. 

None of that would have happened because all of it came with 
a privacy resistance, an international resistance that three Secre- 
taries in a row have stood up to, to build a much clearer sense of 
who is coming across our borders so we focus our attention on the 



15 


riskiest travelers. Chairman King, you mentioned all of the domes- 
tic attacks, many of them thwarted. 

What is little covered — although I think this committee knows it 
quite well — is that in practically every one of those CBP, thanks to 
its data programs, knew something about, and contributed to the 
thwarting of^ those attacks, or the apprehension of the attackers. 
That is a complete change from where we were when the Home- 
land Security Act was passed. 

Finally, let me turn to someplace where I would give the Depart- 
ment, I guess, a B-plus for defending its turf but a D-plus for actu- 
ally making us safer. That is in cyber. We are not safer than we 
were when the Homeland Security Act was passed. Things have 
gotten worse there. 

We need to be doing much more. I believe that more regulatory 
authority is necessary. Certainly the Department needs a better re- 
lationship with NSA than they have today. But I think even with- 
out taking on the regulatory issue, there are ways to work with the 
private sector to build a better information-sharing system than we 
currently have without having to go back and change some of the 
privacy laws that have made it hard to do that. 

By opening up the resources of the private sector to actually fund 
more investigations. I won’t dwell on that, but I think the Depart- 
ment, if they are serious about this, can make a big difference in 
cyber. But they are going to need to improve their workforce sub- 
stantially. 

Thank you. 

[The prepared statement of Mr. Baker follows:] 

Prepared Statement of Stewart A. Baker 
September 20, 2012 

Thank you, Chairman King, Ranking Member Thompson, and distinguished Mem- 
bers of the committee, for this opportunity to testify on the state of the Department 
of Homeland Security. 

This is a timely hearing. We are approaching the tenth anniversary of the Home- 
land Security Act that created the Department. It’s time to ask what the Depart- 
ment has done well, where it has failed, and how it can do better in the future. 

where dhs still falls short 

I will cut to the chase. The Department’s biggest unmet challenge is making sure 
that its components are working together to the same goal. This was a central objec- 
tive of the Homeland Security Act. It combined many agencies into a single Depart- 
ment so that all of them would use their authorities cooperatively in the fight 
against terrorists. 

That may seem obvious, but this is Washington, and doing the obvious is not 
easy. The coordination efforts of a 10-year-old Department do not always impress 
component agencies that can trace their origins to the founding of the Republic. 

The good news of the last 10 years is that the Department has had three Secre- 
taries who had no doubt about who was running the Department and who insisted 
on the cooperation of all parts of the Department to implement their highest prior- 
ities. The bad news is that, in my view, these accomplishments owe more to the Sec- 
retaries’ personalities than to the institutions they have built. In general, the offices 
that support the Secretary, from the various management offices to the office of pol- 
icy, have not created a framework that can coordinate the big, proud components 
of DHS on issues that are outside the spotlight of Secretarial attention. 

The need to strengthen those institutions is especially pressing now. We face a 
possible change of leadership at DHS no matter who wins the next election. And 
the Department faces a difficult budget outlook. Even in a time of record deficits, 
DHS’s budget has hit a ceiling. There is almost no prospect of overall budget in- 
creases in the future, and cuts are likely. Budget decisions simply must be based 



16 


on how each component’s expenditures fit the Department’s highest priorities. The 
Department will have to identify redundancies and may have to eliminate programs 
with powerful constituencies, if that is not done on the basis of a careful, institu- 
tionalized review of the Department’s overall strategy, we will not use the scarce 
dollars that remain in a way that best protects the country. That would be a trag- 
edy. 


THREE CASE STUDIES 

That, of course, is a very general evaluation. Let me be more specific about sev- 
eral important DHS initiatives. 

1. Data-based security screening 

One of the Department’s unquestionable successes is the way it has unified the 
Government’s screening and enforcement on the border, something that was once 
a side business for three or four departments with other priorities. DHS realized 
early that it couldn’t spend even 5 minutes with every traveler who was crossing 
the border. Instead, it had to concentrate on the riskiest travelers, and to do that 
it needed more information about travelers, as far in advance as possible. As with 
so much at the Department, this has been a bipartisan priority; Secretary Napoli- 
tano has preserved and improved many data programs launched under earlier Sec- 
retaries. And DHS’s data programs have contributed to the identification and appre- 
hension of several travelers seeking to commit acts of terror on U.S. soil in recent 
years. 

This initiative has been a great success — one that could not have been achieved 
without the Department. The use of travel reservation (“PNR”) data to screen trav- 
elers has come under constant attack on bogus privacy grounds from the European 
Union, which has torn up its earlier agreement to honor the program every time 
a new Secretary has been sworn in. Every time, the new Secretary has insisted on 
maintaining the program. 

The Department has also gone on the offensive to get other important data about 
travelers. Before the Department was created, remarkably, our border inspectors 
had no way to know whether travelers from other countries had been convicted even 
of the most serious crimes. Now, thanks to the leverage of the Visa Waiver Program, 
every participating country other than Japan has a “PCSC” agreement with the 
United States, that will provide access to travelers’ criminal records. The Depart- 
ment has also implemented ESTA, a “reservation” system that allows the Depart- 
ment to screen VWP travelers for potential risk before they begin their trips. 

The Department has further expanded available information by launching Global 
Entry, which speeds clearance at the border for travelers who have been vetted in 
advance. Going forward, it will have background information on frequent travelers 
from a number of foreign partners, including the Netherlands, South Korea, Ger- 
many, Australia, and Brazil. As a result, DHS can focus more resources on riskier 
travelers. 

Finally, DHS has begun gathering more data in foreign airports, successfully post- 
ing U.S. Government officers there to interview and in some cases to pre-dear trav- 
elers, a security enhancement that benefits both the individual traveler and the host 
government. 

These data programs have improved the efficiency of border screening while also 
speeding most travelers across the border more quickly. Despite the hostility of pri- 
vacy campaigners, the programs have proved themselves. There have been no 
known abuses of the data. This is a success that could only have been achieved by 
a unified Department. It is a success that DHS can be proud of. 

That does not mean that it is perfect. In my view, our international negotiation 
strategy needs a coherent plan, with priorities, to make sure we get the most impor- 
tant information about the riskiest travelers at least cost to the United States. I 
also fear that our last PNR agreement accepted too many of Europe’s limitations 
on PNR while surrendering too many protections for the program. And I’m dis- 
appointed that we have not persuaded Japan to supply information about the 
yakuza, or professional criminals, who may be traveling to the United States. But 
these are tactical criticisms of a program that is a great strategic victory. 

Indeed, it is a victory that is paying dividends in airports around the country. Ev- 
eryone likes to criticize TSA, and one of the most valid criticisms is that it treats 
all of us like suspected terrorists. What’s less known is that this treatment was 
more or less mandated by privacy campaigners, who persuaded Congress that TSA 
could not be trusted with the same travel reservation data that our border officials 
use every day. Lacking any information about travelers, TSA had no choice but to 
treat them all alike. 



17 


Now that the use of data for screening at the border has proven itself, the dam 
is beginning to break for TSA as well. TSA now has access to each traveler’s name, 
gender, and date of birth. Increasingly, it also knows about the traveler’s travel his- 
tory, based on the voluntary provision of frequent flier data. It has shown how this 
data allows risk-based variations in screening, using date of birth to reduce screen- 
ing hassles for children under 12 and seniors over 75. And overseas, in response to 
the Christmas day bomb attempt, CBP and TSA are combining forces to do data- 
based screening of passengers on U.S.-bound foreign flights. Finally, TSA is using 
Global Entry and other data to create a known traveler screening process for domes- 
tic flights. 

This is all great progress, though more is needed. In the next 5 years, TSA should 
expand its use of data-based screening further, expediting travel for the great ma- 
jority while demonstrating that it can be trusted with personal data. Because of 
past privacy limitations, it is likely that TSA will need Congressional assistance to 
achieve this goal. 


2. CYBERSECURITY 

Sometimes it’s easier to persuade the team to give you the ball than to actually 
run with it. That is DHS’s problem in cybersecurity right now. 

DHS seems to have successfully fended off the many agencies and committees 
that wanted to seize parts of its cybersecurity mission. Whether DHS can carry out 
the mission, though, remains uncertain. 

Although the Homeland Security Act clearly gave DHS authority over civilian cy- 
bersecurity issues, it did not give DHS the kind of trained personnel it needed. 
Finding talented cyberwarriors is a challenge even for private-sector firms. Attract- 
ing them to the Department has been doubly difficult, especially with a hiring proc- 
ess that in my experience was largely dysfunctional. The Department’s biggest chal- 
lenge is hiring and maintaining a cybersecurity staff that can earn the respect of 
private cybersecurity experts. With the exception of a handful of officials, DHS has 
not yet built a cadre of employees who can match their counterparts at NSA or 
Goldman Sachs. This is critical. If DHS fails in personnel, it will likely fail in the 
rest of its cybersecurity-related activities. 

There are other challenges for DHS in cybersecurity. They include: 

• Building a better relationship with NSA. — The outlines of a working relation- 
ship with NSA are obvious. DHS should provide policy guidance based in law 
and prudence for any cybersecurity mission affecting the civilian sector, but it 
must rely heavily on NSA’s technical and operational expertise. This funda- 
mental truth has been obscured by personalities, mistrust, and impatience on 
both sides. It’s got to end, especially in the face of adversaries who must find 
the squabbling email messages especially amusing because they are reading 
them in real time. 

• Gaining authority to insist on serious private-sector security measures. — DHS 
has plenty of legislative authority to cajole and convene the private sector in 
the name of cybersecurity. It’s been doing that for 10 years. The private sector 
has paid only limited attention. In part that’s because DHS had only modest 
technical expertise to offer, but it’s largely because few industries felt a need 
to demonstrate to DHS that they were taking its concerns seriously. That is one 
reason that DHS needs at least some authority to demand that industry re- 
spond to the cybersecurity threat, especially where it poses risks to civilian life 
that are not adequately recognized by the market. I fully recognize that cyberse- 
curity measures do not lend themselves to traditional command-and-control reg- 
ulation, and that information technology is a major driver for economic growth. 
That’s a reason to be cautious about how Government approaches the private 
sector. But it’s not a reason for Government to ignore the risk of a cybersecurity 
meltdown. It’s worth remembering that, for a couple of decades, we were told 
that the financial derivatives trade was too complex for traditional Government 
regulation and a major driver of economic growth, and that the private sector 
could do a better job of internalizing risk than any Government regulator. We 
should not wait for the cybersecurity equivalent of the financial meltdown to 
give DHS a larger role in cybersecurity standards. 

Sometimes the businessmen arguing against regulation are wrong — so wrong that 
they end up hurting their own industries. I believe that this is true of those who 
oppose even the lightest form of cybersecurity standards. Most of the soft quasi-reg- 
ulatory provisions that business groups rejected in talks with the Senate will likely 
be incorporated into an Executive Order that they will have little ability to influ- 
ence. Even worse from their point of view, the pressure for legislation is likely to 
continue — and will become irresistible if we suffer a serious infrastructure failure 



18 


as a result of hacking. In that event, the cybersecurity legislation that Congress 
adopts will have to go beyond the Executive Order and into the territory of much 
tougher regulation. By failing to adopt more limited legislation now, Congress is 
sowing the seeds for more aggressive regulation in the future. 

Moving beyond the fight over “regulation”. — That said, DHS cannot wait for a Na- 
tional consensus on its regulatory role. There are many other steps that DHS could 
take to improve cybersecurity without touching the regulatory third rail. Let me 
outline a few of them here: 

• Information-sharing. — It should be obvious why the targets of cyber attacks 
need to share information. We can greatly reduce the effectiveness of those at- 
tacks if we use the experience of others to bolster our own defenses. As soon 
as one victim discovers a new command-and-control server, or a new piece of 
malware, or a new email address sending poisoned files, that information can 
be used by other companies and agencies to block similar attacks on their net- 
works. This is not information sharing of the “let’s sit around a table and talk” 
variety. It must be automated and must occur at the speed of light, not at the 
speed of lawyers or bureaucrats. 

I supported CISPA, which would have set aside two poorly-conceived and aging 
privacy laws that made it hard to implement such sharing. I still do. But if 
CISPA is going to be blocked for a time by privacy objections, as seems likely, 
we need to ask a different question: Can the automated information-sharing 
system that we need be built without rewriting those aging privacy laws? I be- 
lieve that it can; we simply need a more creative and determined approach to 
the law. Administration lawyers, who have taken an unnecessarily rigid view 
of existing law, should be sent back to find ways to build automated information 
sharing under existing law. 

• Emphasize attribution. — We will never defend our way out of the cybersecurity 
crisis. I know of no other crime where the risk of apprehension is so low, and 
where we simply try to build thicker and thicker defenses to protect ourselves. 
The obvious alternative is to identify the attackers and to find ways to punish 
them. But many information security experts have grown skeptical of this alter- 
native. As they point out, retribution depends on attribution, and attribution is 
difficult; attackers can hop from country to country and from server to server 
to protect their identities. 

That skepticism is outmoded, however. Investigators no longer need to trace 
each hop the hackers take. Instead, they can find other ways to compromise and 
then identify the attackers, either by penetrating hacker networks directly or 
by observing their behavior on compromised systems and finding behavioral 
patterns that uniquely identify the attackers. It is harder and harder for anyone 
to function in cyberspace without dropping bits of identifying data here and 
there. If our security is inherently flawed, so too is the security of our attackers. 
This means that it is realistic to put attribution at the center of our response 
to cyberattacks. 

We should take the offense, surrounding and breaking into hacker networks to 
gather information about what they’re stealing and who they’re giving it to. 
That kind of information will help us prosecute criminals and embarrass state- 
sponsored attackers. It will also allow us to tell the victim of an intrusion with 
some precision who is in his network, what they want, and how to stop them. 
DHS’s intelligence analysis arm should be issuing more such reports and fewer 
bland generalities about terrorism risks for local law enforcement agencies. 

• Use DHS law enforcement authorities more effectively. — Law enforcement agen- 
cies have a vital role to play in cybersecurity — even when the prospect of actu- 
ally arresting the attacker is remote. Law enforcement agencies have investiga- 
tive authorities, including search warrants and wiretaps, that can help identify 
attackers. Those authorities should be used strategically to aid in the overall 
attribution effort. 

The best way to achieve that goal is for DHS’s cybersecurity office to be fully 
coordinated with law enforcement agencies that have criminal investigative au- 
thorities. By pooling information, authorities, and resources, these agencies 
should pursue a common strategy — one that identifies the bad guys, first to dis- 
able their attacks and eventually to bring them to justice. Coordination between 
DHS and the FBI may have its challenges, but today it seems that there is only 
modest coordination even between DHS’s cybersecurity office and its own 
cybercrime investigators. Certainly I have seen no sign that ICE and Secret 
Service investigations are prioritized strategically based on guidance from the 
DHS cybersecurity office. The result is wasted opportunities and wasted re- 
sources. Instead, ICE and Secret Service cybercrime investigators should be de- 



19 


tached to a task force ran by the cybersecurity office as a way of dramatizing 
the need for an all-of-DHS approach to the problem. 

Law enforcement authorities create a second opportunity that we are not fully 
exploiting. Increasingly, it is law enforcement that tells businesses they have 
been compromised. But usually the first question from businesses is one best 
directed towards the cyber defenders rather than the cyber cops: “What can we 
do to get the attacker out?” This is a “teachable moment,” when all of DHS’s 
cyberdefense and industry-outreach capabilities should be engaged, talking to 
the compromised company about the nature of the intruder, his likely goals and 
tactics, and how to defeat them. Currently, however, DHS’s cybersecurity office 
and its cybercrime investigators do not present themselves as a unified team 
when visiting the victims of attacks. Better coordination within the Department 
would pay dividends and provide a model for coordination across Department 
lines. 

• Recruit private-sector resources to the fight . — In my private practice, I advise a 
fair number of companies who are fighting on-going intrusions at a cost of $50 
or $100 thousand a week. The money they are spending is going almost entirely 
to defensive measures. At the end of the process, they may succeed in getting 
the intruder out of their system. But the next week, the same intruder may get 
another employee to click on a poisoned link and the whole process will begin 
again. It’s a treadmill. Like me, these companies see only one way off the tread- 
mill: To track the attackers, figure out who the attackers are and where they’re 
selling the information, and then sanction the attackers and their customers. 
When private companies’ cybersecurity executives were surveyed recently, 
“more than half thought their companies would be well served by the ability to 
‘strike back’ against their attackers.” W. Fallon, Winning Cyber Battles Without 
Fighting, Time (Aug, 27, 2012). And the FBI’s top cybersecurity lawyer just this 
week called our current strategy a “failed approach” and urged that the Govern- 
ment enable hacking victims “to detect who’s penetrating their systems and to 
take more aggressive action to defend themselves.” Washington Post (Sep. 17, 
2012 ). 

He’s right. But under Federal law, there are grave doubts about how far a com- 
pany can go in hacking the hackers. I happen to think that some of those 
doubts are not well-founded, but only a very brave company would ignore them. 
Now, there’s no doubt that tJ.S. intelligence and law enforcement agencies have 
the authority to conduct such an operation, but by and large they don’t. Com- 
plaining to them about even a state-sponsored intrusion is like complaining to 
the D.C. police that someone stole your bicycle. You might get a visit from the 
police; you might get their sympathy; you might even get advice on how to pro- 
tect your next bicycle. What you won’t get is a serious investigation. There are 
just too many crimes that have a higher priority. 

In my view, that’s a mistake. The Department, drawing on the resources of the 
entire Government, should do some full-bore criminal and intelligence investiga- 
tions of private-sector intrusions, especially those that appear to be state-spon- 
sored. We can identify the attackers, and we can make them pay. 

But if we want do that at scale, we have to let the victims participate in, and 
pay for, investigations that the Government will never have the resources to 
pursue. Too many Government officials have viewed such private counter- 
measures as a kind of vigilante lynch mob justice. That just shows a lack of 
imagination. In the real world, if someone stops making payments on a car loan 
but keeps the car, the lender doesn’t call the police; he hires a repo man. In 
the real world, if your child is kidnapped, and the police aren’t making it a pri- 
ority, you hire a private investigator. And, if I remember correctly the westerns 
I watched growing up, if a gang robs the town bank and the sheriff finds him- 
self outnumbered, he deputizes a posse of citizens to help him track the robbers 
down. Not one of those solutions is the equivalent of a lynch mob or of vigilante 
justice. Every one allows the victim to supplement law enforcement while pre- 
serving social control and oversight. 

DHS could probably experiment with that solution tomorrow if it chose, as could 
the FBI. Its law enforcement agencies often have probable cause for a search 
warrant or even a wiretap order aimed at cyber intruders. I know of no legal 
barrier to obtaining such an order, then rel 3 dng on a private contractor paid by 
the victims to actually cariy out the search or the tap, as long as that happens 
under Government supervision. (The Antideficiency Act, which arguably pro- 
hibits the Government from accepting free services, has more holes than my 
last pair of hiking socks, including exceptions for protection of property in emer- 
gencies and for gifts that also benefit the donor.) 



20 


If systematic looting of America’s commercial secrets truly is a crisis, and I be- 
lieve that it is, why have we not already unleashed the creativity and resources 
of the private sector that attackers are victimizing? 

Mr. Chairman, that concludes my prepared testimony. I will be pleased to answer 
any questions the committee may have. 

Chairman King. Thank you, Secretary Baker. 

Our next witness, Frank Cilluffo, is associate vice president at 
George Washington University, where he directs the Homeland Se- 
curity Policy Institute. I have had the privilege of being out there. 
You know, it is accurate to say that Mr. Cilluffo was present at the 
creation. 

Shortly after the 9/11 attacks, Mr. Cilluffo was appointed by the 
President to the Office of Homeland Security, and served as the 
principle advisor to Governor Tom Ridge. Prior to his White House 
appointment, Mr. Cilluffo served in policy positions at the Center 
for Strategic and International Studies. 

His work has been widely published in academic, law, business, 
and policy journals, as well as magazines and newspapers around 
the world. Without giving away too much, I can tell you often, be- 
fore we prepare our committee agenda or look into topics we are 
going to cover, we look at what you have been saying on it lately. 
We certainly appreciate your wisdom and input. 

With that, Mr. Cilluffo, I am privileged to recognize you for 5 
minutes. 

STATEMENT OF FRANK J. CILLUFFO, FORMER PRINCIPAL AD- 
VISORY TO GOVERNOR TOM RIDGE, WHITE HOUSE OFFICE 

OF HOMELAND SECURITY 

Mr. Cilluffo. Thank you, Mr. Chairman. Thank you for the op- 
portunity to appear before you today. Mr. Thompson, good to see 
you again, as well. Let me also, before jumping in — and I was 
asked to talk on the threat-related issues — thank you for your lead- 
ership in this committee. I mean, you really have taken on the 
hard issues facing this country. 

I think you have tackled them head-on. Not an easy set of issues. 
I will be very brief, not my strong suit as I have never had an 
unspoken thought. But what I thought I would do is touch on some 
of the counterterrorism issues that we see and the current ter- 
rorism threat, as well as some of the cyber challenges where I am 
very much in agreement with Stewart’s prognosis. 

Firstly, as the recent terrorist attack in Benghazi clearly dem- 
onstrated, as well as unrest not only the Middle East, in North Af- 
rica, but also in Southeast Asia, there is no time to be lulled into 
a sense of complacency. A set of issues that I think a lot of people 
have been. 

Yes, we have had a number of successful counterterrorism events 
of late. Most notably, the successful strike against Osama bin- 
Laden, Anwar al-Awlaki, Ilyas Kashmiri, probably the most dan- 
gerous unknown terrorist out there. But by no means does this 
mean that ding-dong, the witch is dead. 

Unfortunately, what we have seen is the threat metastasize. It 
has morphed. Today, it comes in various shapes, sizes, flavors, and 
forms, ranging from al-Qaeda senior leadership, still operating out 
of the Fatah as well as its affiliates, most notably al-Qaeda in the 
Arabian Peninsula; home to probably the world’s most dangerous 



21 


bomb maker, in Ibrahim al-Asiri, to al-Qaeda and the Islamic 
Maghreb, which is growing leaps and bounds not only across the 
Maghreb but also throughout the Sahel, as well as like-minded 
jihadi organizations in the African continent as a whole. 

Ansar al-Dine in Mali, you are seeing Mauritania being taken 
over by Islamist groups, all the way through to the Horn of Africa, 
with A1 Shabaab in Somalia. So the prognosis is not very good. Ac- 
tually, if you have seen the way it has spread, I am not sure that 
some of our traditional counterterrorism instruments are the most 
appropriate right now. 

Moreover, the reason you have seen some success in the Fatah 
is because we have — think of it as — suppressive fire. It is based on 
our successful counterterrorism initiatives. If we ease off that gas 
pedal, don’t think that that vacuum isn’t going to be instanta- 
neously filled not only by al-Qaeda, but other like-minded individ- 
uals. 

Bottom line here is, is the more time they are looking over their 
shoulder the less time they are plotting, training, and executing at- 
tacks. So I just warn the Congress to be able to support some of 
our counterterrorism measures. African continent, I can get into 
that in greater depth later. 

But you literally are seeing swaths; the entire Maghreb, north- 
west Africa, all the way through from Mauritania to the Horn of 
Africa, in Somalia. These are areas where you are seeing Jihadi 
groups take advantage of under- and un-governed spaces. Why any 
of these regions? Because they are un-governed spaces. 

I would also note that you have seen the homegrown threat in 
the United States. This is not an insignificant set of issues. We 
have had 58 cases, 58 plots, that have been prevented since 9/11. 
Some of those very significant. In New York City, for example, Naji 
Bolazazi. That was a very significant plot. 

That was blinking red as red could be red. Faisal Shahzad, also 
a very significant plot. So as much as we can lean forward and sup- 
port our State and local law enforcement authorities, I think we 
need to be able to do so very quickly on cyber. I think it is fair to 
say that our cyber community is where homeland and counterter- 
rorism community was shortly after 9/11. 

We have a lot to do. Long on nouns, short on verbs. We have 
been talking about it, but we are not actually addressing some of 
the most significant issues. To rack and stack the threat, you have 
got countries that are integrating computer network attack and 
computer network exploit into their warfighting capabilities. 

Russia, China, at the top of the list. But also, you have countries 
like North Korea, Iran, who are increasingly becoming a terrorist 
threat. Their proxies, Hezbollah, are of great concern. What they 
lack in capability they more than make up for in intent. In the 
cyber domain, you can buy capabilities. 

Intent and cash can take you a long way, something I think we 
need to be thinking about. Finally, in terms of recommendations — 
and I will be very quick here — one policy recommendation. The big- 
gest, biggest missing dimension of our counterterrorism statecraft 
thus far, in my eyes, has been, “It is the ideology.” To paraphrase 
Bill Clinton, it is not, “the economy, stupid,” but, in this case, “the 
ideology, stupid.” 



22 


We have got to get a comprehensive approach that exposes the 
hypocrisy of the jihadists and ultimately helps facilitate it fall 
under its own weight. Think of negative political campaigning. We 
need to do more in this respect. We also need to start focusing on 
the victims, not only the perpetrators. 

Ultimately, to me, this is where we have an awful lot we should 
and can do beyond the traditional battlefields. Second, a structural 
one. That Department of Homeland Security, I would argue, needs 
an office of net assessment; someone who is not fettered by day-to- 
day intelligence needs, not fettered by day-to-day policy needs, but 
has the ability to step back, think big, ask the what-ifs, look for 
the game-changers. 

That doesn’t currently exist because everyone is running out of 
their inboxes daily. A very tactical one, NPPD as well as intel- 
ligence and analysis at DHS. I think they have a very unique thing 
that they can bring to the counterterrorism fight. That is, coming 
up with new intelligence products that are very oriented around 
critical infrastructures. 

No one else in the intelligence community has that capability. 
We need to make that a reality. Information sharing, we have got 
to move at least the CISPA bill that Mr. Rogers and others had 
proposed, if you ask me. Is it enough? Probably not. But at the very 
least, we need to move on those measures. 

Finally, in the cyber domain we are never going to firewall our 
way out of the problem. At the end of the day, the initiative stands 
with the offender, on the offense. So we have got to clearly articu- 
late a cyber deterrent strategy, one that is actor-specific. Because 
right now, we are lumping China and Russia with a kid operating 
out of his basement, drinking a lot of Jolt Cola or whatever they 
drink nowadays. 

But at the end of the day we need to get to the point where we 
can actually have a clearly articulated cyber deterrent strategy, 
and one that we are willing to act when red lines are crossed. 

Thank you, Mr. Chairman. 

[The prepared statement of Mr. Cilluffo follows:] 

Statement of Frank J. Cilluffo 
September 20, 2012 

Chairman King, Ranking Member Thompson, and distinguished Members of the 
committee, thank you for the opportunity to testify before you today. Throughout 
your tenure as Chairman of this committee. Congressman King, you have consist- 
ently taken on the hard issues facing our country, and have committed to address- 
ing them. Thank you for your leadership. Turning to the timing and subject of to- 
day’s hearing both are well-selected. As recent events from the Middle East and 
North Africa through to Southeast Asia regrettably illustrate, violent extremism 
continues to thrive. With the United States and its interests still in the cross-hairs 
of jihadi and Islamist militants across the globe, the present moment is sadly oppor- 
tune to assess the activities of the Department of Homeland Security (DHS) and 
give careful consideration to a roadmap for its future. Despite significant progress, 
especially on the counterterrorism front, the existing and projected threat climate 
is such that continued vigilance and a robust as well as proactive posture is need- 
ed — not only at DHS but throughout Government, at all levels, and supported by 
approaches that effectively integrate the private sector and the efforts of individual 
citizens too. 



23 


THE THREAT ECOSYSTEM OF TODAY AND TOMORROW: CHALLENGES FOR DHS AND 

BEYOND 

Al-Qaeda (AQ) has been a shrewd practitioner of the art of stoking, piggybacking 
upon, and exploiting local grievances in order to further AQ’s own goals and objec- 
tives and the broader global jihad. In a military context, this is referred to as tac- 
tical, operational, and strategic “swarming”; and it has clearly been adopted by oth- 
ers as well, as recent incidents around the globe have unfortunately demonstrated. 
Usama bin Laden may be dead, but the toxic ideology that he left behind lives on, 
and the narrative that it informs continues to resonate powerfully in certain quar- 
ters. Today perhaps the most significant locus of his legacy and methods is in Afri- 
ca; though Pakistan’s Federally Administered Tribal Areas, better known as FATA, 
remain a combustible region, one where it would be imprudent to ease up on U.S. 
pressure against militants. ^ 

In Africa, al-Qaeda in the Arabian Peninsula (AQAP), al-Qaeda in the Islamic 
Maghreb (AQIM), A1 Shabab (Somalia), Ansar al-Dine (Mali), Boko Haram (Nigeria), 
and their ilk persist in sowing discord and violence in a cross-continental swath 
ranging from east to west, leaving not even Timbuktu untouched. Indeed, even 
Yemen, the subject of significant counterterror efforts on the part of the United 
States (and others), remains home to AQAP and to one of the world’s most dan- 
gerous bomb-makers, Ibrahim al-Asiri. Notwithstanding U.S. and allied counterter- 
rorism efforts that bave yielded a good measure of success, these terror affiliates 
remain committed to carrying forward the mantle of bin Laden, and to exploiting 
both ungoverned and under-governed spaces. The latter tactic pre-dated the Arab 
Spring, but evidenced reinforcement and magnification thereafter. The tragic vio- 
lence of recent days, beginning in Benghazi and directed against U.S. personnel and 
interests (and those of allies), may come to further prove this point, though key facts 
remain under investigation. 

As observed in a report on Mauritania published earlier this year by the Carnegie 
Endowment for International Peace, Africa is a hot spot because of the confluence 
of multiple factors, including poverty, corruption, and weak governance. The ensu- 
ing void left in countries like Mauritania, where state infrastructure like the edu- 
cation system is weak, offers an opening to “mahadras” (religious schools) propa- 
gating violent ideologies, which in turn spur the growth of militancy. The outlook 
for the Continent is not entirely bleak however; as the study points out, “there is 
a high level of distrust between black Africans and AQIM, a movement led and 
dominated by Arabs” — which portends a recruitment challenge for al-Qaeda forces 
in the area, at least in the longer term.^ The outcome is not predetermined, though, 
as AQ was able to surmount and ingrain itself into the tribal populations indigenous 
to the FATA by pursuing a concerted strategy of marrying into these clans. Whether 
a similar or other course might further pave the way for inroads into African coun- 
tries remains to he seen and merits continued U.S. vigilance, as well as that of our 
allies. 

The various terrorist organizations cited above are exhibiting, moreover, an in- 
creasing willingness to reach out and partner with one another, as well as with oth- 
ers, who may he able to help build their indigenous capacities and further their par- 
ticular goals. The twin phenomena of violent extremism and cross-group cooperation 
of such forces is assuredly not limited to Africa, and extends to the veritable witch’s 
brew of forces that ranges from Iraq, Pakistan, and the Caucasus, to Mali, Nigeria, 
and Somalia — where militants linked to al-Qaeda tried to kill the country’s new 
President just last week in a double suicide/homicide blast. Pakistan is especially 
complex, and dangerous. Groups that were once regionally focused now subscribe 
ever-more to al-Qaeda’s goals and the broader global jihad. This toxic blend includes 
the Haqqani network,^ Laskhar-e-Taiba (LeT), Tehrik-i-Taliban Pakistan, Harkat- 


^U.S. military actions, including the use of drones, have had significant operational effects 
on al-Qaeda (and associated entities) by disrupting foreign fighter pipelines to the region, activi- 
ties of key facilitators, and training camps. Think of it as suppressive fire. The more time al- 
Qaeda and associated entities spend looking over their shoulders, the less time they have to 
train, plot, and execute terrorist attacks. And with al-Qaeda senior leaders on their back heels, 
now is the time to exploit this unique window of counterterrorism opportunity by maintaining 
the operational tempo to consolidate these gains. 

^Anouar Boukhars, The Drivers of Insecurity in Mauritania Carnegie Paper (April 2012) 
http:! ! carnegieendowment.org ! 2012 j 04 ! 30 1 drivers-of-msecurity-in-mauritania^. 

3 Recently designated a Foreign Terrorist Organization by the Department of State (a too-long 
delayed move, though one rightly supported by the Chairman of this Committee), http:! I 
translations.state.gov / St I english I artiele / 2012 j 09 1 20 120907 135632. html#axzz26kbUie00; see 
also Frank J. Cilluffo, “U.S. -India Counterterrorism Cooperation: Deepening the Partnership” 

Continued 



24 


ul-Jihad al-Islami (HuJI), Jaish-e-Mohammed, and the Islamic Movement of Uzbek- 
istan; all of which cooperate with al-Qaeda on a tactical and sometimes strategic 
basis, linked by an affinity for militant Islamist ideology — with United States, In- 
dian, Israeli, and Western targets increasingly in their cross-hairs. Historically, col- 
laborative efforts among such groups were primarily linked to covert logistical sup- 
port, including the provision of money, safe havens, and arms, as well as the move- 
ment back and forth of key personnel from one entity to another. 

Not so today, where the relationships between terrorist groups are becoming more 
overt and strategic in nature. As events on the ground in Syria demonstrate, there 
will be no shortage of opportunities for foreign fighters who wish to travel to jihadi 
conflict zones. Consider also Africa, where the head of U.S. Africa Command Gen- 
eral Carter Ham has stated that “the linkages between AQIM and Boko Haram are 
probably the most worrisome in terms of the indications we have that they are like- 
ly sharing funds, training and explosive materials that can be quite dangerous. 
So too closer to home, where the Commander of U.S. Southern Command General 
Douglas M. Fraser has observed a similar type of convergence (based on conven- 
ience) between terrorist and criminal organizations in the Tri-Border area of Argen- 
tina, Brazil, and Paraguay.® Within the Continental United States, furthermore, the 
New York City Police Department has expanded its decade-plus focus on core al- 
Qaeda, affiliates, and the homegrown threat (inspired by AQ), to include Iran and 
Hezbollah — as part of NYPD’s continuing efforts to build a robust and independent 
counterterror posture for the City of New York.® In turn, the Los Angeles Police De- 
partment recently elevated the government of Iran and its proxies (notably 
Hezbollah) to a Tier I threat.'^ This last development is particularly concerning 
given Iran’s on-going drive to achieve nuclear weapons capability, and the statement 
this month of Lebanese Hezbollah leader Sayyed Hassan Nasrallah to the effect that 
there will be no distinction drawn between Israel and the United States in terms 
of retaliation, should Israel attack Iran to halt its progress toward the nuclear goal: 
“If Israel targets Iran, America bears responsibility.”® Both the Director of the (U.S.) 
National Counterterrorism Center and the Director of National Intelligence have 
underscored concern about Iran and their proxies, suggesting respectively in recent 
testimony (the former before this committee) that “Iran remains the foremost state 
sponsor of terrorism”®; and that Iran is “now more willing to conduct an attack in 
the United States. 

All this to say there is little ground for complacency, as toxic forces converge and 
cooperate in multiple spots across the globe, more than ever before; as ideology and 
narrative continue to inspire, including those here in the United States — recall that 
58-plus homegrown jihadi terrorism plots have been discovered in this country since 
9/11; and as foreign fighters return to their homelands battle-hardened and armed 
with Western passports — 10 feet tall in the eyes of those who admire their exploits, 
and more importantly, a direct threat to Western security given their familiarity 
with potential targets they may select to attack. ^ Where foreign fighters are con- 
cerned, so-called “bridge figures” are of special importance, as they ensure that par- 


Hearing before the House of Representatives Committee on Foreign Affairs, Subcommittee on 
Terrorism, Non-proliferation and Trade (September 14, 2011) http:! I www.gwumc.edu Ihspil 
policy / testimony9.13. 1 1 cilluffo.pdf. 

^Tristan McConnell, “Triple threat: Coordination suspected between African terrorist organi- 
zations” Global Post (June 26, 2012) http:/ 1 www.globalpost.com I dispatches I globalpost-blogs I 
africa/ triple-threat-coordination-suspected-between-c^rican-terronst-or. 

® Statement before the Senate Armed Services Committee (March 6, 2012) http:/ Iwww.armed- 
services.senate.gov j statemnt / 2012 / 03%20March / Fraser%2003-13-12.pdf. 

® Testimony of Mitchell D. Silber before the U.S. House of Representatives Committee on 
Homeland Security Iran, Hezbollah, and the Threat to the Homeland (March 21, 2012) http:/ / 
homeland.house.gov /sites / homeland.house.gov /files / Testimony-Silber.pdf. 

Frank J. Cilluffo, Sharon L. Cardash, and Michael Downing, “Is America’s view of Iran and 
Hezbollah dangerously out of date?” FoxNews.com (March 20, 2012) http:/ / www.foxnews.com / 
opinion /2012 /()3/20/ is-americas-view-iran-and-hezbollah-dangerously-out-date / 

® Reuters, “Nasrallah: Iran could strike US bases if attacked” The Jerusalem Post (September 
3, 2012) http: / / www.jpost.com / IranianThreat / News / Article. aspx?id=283706. 

® Matthew G. Olsen, “Understanding the Homeland Threat Landscape” Hearing before the 
House Committee on Homeland Security (July 25, 2012) http: // homeland.house.gov / sites / 
homeland.house.gov /files / Testimony-Olsen.pdf. 

James R. Clapper, “Unclassified Statement for the Record on the Worldwide Threat Assess- 
ment of the US Intelligence Community for the Senate Select Committee on Intelligence” (Janu- 
ary 31, 2012) http:/ / inteUigence.senate.gov / 120131 / clapper.pdf . 

Frank J. Cilluffo, “Open Relationship” ForeignPolicy.com (February 15, 2012) http:/ / 

www.foreignpolicy.com/ articles / 2012 / 02 / 15 / open relationship?page=0,0; and Jerome P. 

Bjelopera “American Jihadist Terrorism: Combating a Complex Threat” CRS Report for Con- 
gress (November 15, 2011) http:/ / www.fas.org/sgp/crs /terror/ R41416.pdf (hut note that num- 
bers have increased since the Report was published). 



25 


ticular fighter pool is replenished, hy helping to inspire, radicalize, and motivate. 
These figures exude charisma, and exhibit cultural and linguistic fluency as well as 
other skills that propel them to positions of leadership, guidance, and prominence. 
Abdullah al-Faisal, a Jamaican with ties to shoe bomber Richard Reid and to (at- 
tempted) Times Square bomber Faisal Shahzad, is but one example. 

Just as the threat has gravitated and metastasized to areas in the physical world 
that will best support the ideology and activities at issue, so too has the threat 
taken hold in (and of) the cyber domain — where terrorists are still afforded too 
much freedom of maneuver. Being squeezed in Pakistan’s FATA, the Sahel, Yemen, 
or elsewhere, does not mean “game over” when the internet offers a transnational 
base and springboard for a variety of operations, including fundraising, recruitment, 
planning, training, and even implementation and execution of plots and plans. As 
I outlined in testimony before the Senate 5 years ago: “Extremists value the inter- 
net so highly that some have adopted the slogan ‘keyboard equals Kalashnikov’. Ter- 
rorist groups now have their own media production arms (al-Qaeda relies on As- 
Sahab and the Global Islamic Media Front, for example). Terrorists produce their 
own television programs and stations, websites, chat rooms, on-line forums, video 
games, videos, songs, and radio broadcasts.”^’' Having said that, and as I have indi- 
cated in further Senate testimony, this one more than a decade ago: “Bits, bytes, 
bugs, and gas will never replace bullets and bombs as the terrorist weapon of 
choice.”'® 

However, as kinetic measures (U.S. and allied) generate gains in the real-world, 
this may lead al-Qaeda and its s 3 mipathizers to enter even more deeply into the 
cyber domain. Indeed, al-Qaeda and their jihadi ilk may be surfing in the wake of 
“Anonymous” and other such groups, to learn from and perhaps also exploit their 
actions. The cyber threat writ large is much broader and more multifaceted, though. 
It may emanate from individual hackers, “hacktivists,” criminal or terrorist groups, 
nation-states or those that they sponsor. Moreover, the threat spectrum affects the 
public and private sectors, the interface and intersections between them, as well as 
individual citizens. From a homeland security perspective, foreign states are (by and 
large) our principal concerns in the cyber domain, at least in terms of sophistication; 
specifically those countries that pose an advanced and persistent threat, namely 
Russia and China. Their tactics may also be exploited by others.'® Furthermore, as 
laid out in my testimony to a joint hearing of two subcommittees of this body in 
April 2012, the government of Iran and its terrorist proxies are serious concerns in 
the cyber context. What Iran may lack in capability, it makes up for in intent; and 
our adversaries do not need highly sophisticated capabilities — just intent and cash — 
as there exists an arms bazaar of cyber weapons, allowing our adversaries to buy 
or rent the tools they need or seek. 

The cyber threat (and supporting technology) has markedly outpaced our preven- 
tion and response efforts. Use of cyber means as a force multiplier for kinetic activi- 
ties, which would represent the convergence of the physical and cyber worlds, con- 
stitutes probably the area of greatest concern over the next 5 to 10 years. Foreign 
militaries are increasingly integrating computer network attack (CNA) and com- 
puter network exploitation (CNE) capabilities into their warfighting, and military 


12 Frank J. Cilluffo, Jeffrey B. Cozzens, and Magnus Ranstorp, Foreign Fighters: Trends, Tra- 
jectories & Conflict Zones (October 1, 2010 http: II www.gwu.mc.edul hspi! policy ! 
report foreignfighters501.pdf. 

'2 The George Washington University Homeland Security Policy Institute (HSPI) and the Uni- 
versity of Virginia Critical Incident Analysis Group (CIAG), NETworked Radicalization (Special 
Report: May 2007) http:! ! www.gwumc.edu ! hspi ! policy ! NETworkedRadicalization.pdf . 

14 “The Internet: A Portal to Violent Islamist Extremism” (May 3, 2007) http:! / 
www.gwumc.edu ! hspi / policy / testimony5.3.07 cilluffo.pdf. 

'® “Critical Infrastructure Protection: Who’s In Charge” (October 4, 2001) http:ll 
www.gwumc.edu I hspi ! policy ! testimony 10.4.01 cilluffo.pdf. 

Frank J. Cilluffo, “The U.S. Response to Cybersecurity Threats” American Foreign Policy 
Council (AFPC) Defense Dossier (August 2012) http:llwww.afpc.orglfileslaugust2012.pdf; see 
also Office of the National Counterintelligence Executive (NCIX), Foreign Spies Stealing U.S. 
Economic Secrets in Cyber Space: Report to Congress on Foreign Economic Collection and Indus- 
trial Espionage 2009-2011 (October 2011) http: ! I www.ncix.gov ! publications ! reports ! fecie all! 

Foreign Economic Collection 2011.pdf. 

"“The Iranian Cyber Threat to the United States” Statement before the House of Representa- 
tives Committee on Homeland Security, Subcommittees on Counterterrorism and Intelligence, 
and on Cybersecurity, Infrastructure Protection, and Security Technologies (April 26, 2012) 
http:! / www.gwumc.edu I hspi I policy I Iran%20Cyber%20Testimony%204.26. 12%20Frank%20- 
Cilluffo.pdf. 



26 


planning and doctrine. Such activity may involve “intelligence preparation of the 
battlefield,” to include the mapping of perceived adversaries’ critical infrastructures. 
To my mind, the line between this type of reconnaissance and an act of aggression 
is very thin, turning only on the matter of intent. Foreign intelligence services, too, 
are engaging in cyber espionage against us, often combining technical and human 
intelligence in their exploits. Here, everything from critical infrastructure to intel- 
lectual property is potentially at risk. These exploits permit others to leapfrog many 
bounds beyond their rightful place in the innovation cycle, by profiting from (theft 
of) the research and development in which private and public U.S. entities invested 
heavily. At worst, these exploits hold the potential to significantly degrade our Na- 
tional defense and National security, and thereby undermine the trust and con- 
fidence of the American people in their Government. 

New opportunities for resilience, generated by forces including changing tech- 
nologies, will assuredly present themselves. Indeed it is this ability to reconstitute, 
recover, and get back on our feet is in fact perhaps the best deterrent. The storms 
that battered the National Capital Region this summer leaving close to a million 
people without power during a week-long heat wave are instructive in terms of our 
shortcomings on resilience. Mother Nature may be a formidable adversary, but just 
imagine the level of damage and destruction that a determined and creative enemy 
could have wrought. There is no lack of trying, as a recently published DHS report 
makes clear, noting the spike in attacks (from 9 incidents to 198) against U.S. crit- 
ical infrastructure from 2009 to 2011. The good news, on the other hand, is that 
the most serious of these incidents could have been avoided through the adoption 
of basic security steps and best practices. The bad news, of course, is that these fun- 
damental measures were not yet put into place. 

DHS: A LOOK BACK AND AHEAD 

Looking ahead, U.S. and allied counterterrorism efforts that achieved localized 
successes must be woven into a larger, sustained, and strategic effort; one that con- 
tinues to apply targeted pressure to deny adversaries the time and space to maneu- 
ver, including in cyberspace. Since the threat now comes in various shapes, sizes, 
and forms — ranging from al-Qaeda’s Senior Leadership (Ayman al-Zawahiri and his 
top deputies), to its principal franchises and affiliates, to individuals inspired by (if 
not directly connected to) al-Qaeda’s ideology, which includes the “home-grown” 
threat — the U.S. response, and that of DHS in turn, must be at once both suffi- 
ciently comprehensive in scope and sufficiently nimble in approach to address effec- 
tively the multi-dimensional threat landscape of today as well as tomorrow. 

Unfortunately our efforts to counter and defeat the jihadist ideology have been 
lacking, with the result that the terrorist narrative lives on, and continues to attract 
and inspire those who wish us harm. A sustained, comprehensive, integrated, and 
effective effort to combat violent Islamist extremism is, in my view, the biggest ele- 
ment missing from U.S. statecraft on counterterrorism. Although the Department 
of State’s Center for Strategic Counterterrorism Communications (CSCC) is doing 
some good work and represents a positive development in this space, now is the 
time to double down, do more, and hit back harder. The power of negative imagery, 
as in a political campaign, could be harnessed to hurt our adversaries and further 
chip away at their appeal and credibility in the eyes of peers, followers, and sympa- 
thizers. A sustained and systemic strategic communications effort aimed at exposing 
the hypocrisy of Islamists’ words versus their deeds, could knock them off balance, 
as could embarrassing their leadership by bringing to light their seamy connections 
to criminal enterprises and drug-trafficking organizations. The increasingly hybrid 
nature of the threat presents additional opportunities in this last regard, as drugs 
and arms trafficking are used to finance terrorism, and so too kidnapping for ran- 
som (think Abu Sayyaf and AQIM). Brokering in-fighting between and among al- 
Qaeda, its affiliates, and the broader jihadi orbit in which they reside, will damage 
violent Islamists’ capability to propagate their message and organize operations 
both at home and abroad. Locally administered programs are especially significant, 
as many of the solutions reside outside the U.S. Government and will require com- 
munities policing themselves. In short, we could and should do more to drive wedges 


Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground: 
Chinese Capabilities for Computer Network Operations and Cyber Espionage, Prepared for the 
U.S. -China Economic and Security Review Commission by Northrop Grumman Corporation 

(March 7, 2012) p. 54 http: I / www.uscc.gov/RFPl2012IUSCC%20Report Chinese Capa- 

bilitiesforComputer_NetworkOperationsandCyberEspionage.pdf. 

Suzanne Kelly “Homeland security cites sharp rise in cyber attacks” CNN.com (July 4, 
2012). http:/ ! security.blogs.cnn.com / 2012 107 / 04 / homeland-security-cites-sharp-rise-in-cyber-at- 
tacks / . 



27 


and foment distrust (including by exploiting points of conflict between local interests 
and the larger global aims of AQ); encourage defectors; delegitimize and 
disaggregate our adversaries’ narrative; and above all, remember the victims.2° 

As the distinction between home and abroad increasingly blurs, due in part to 
technologies and tools such as social media, it is important to study and ultimately 
institutionalize counterterrorism lessons learned elsewhere, including about tactics, 
techniques, and procedures. In the aftermath of the “26-11” Mumbai attacks, for in- 
stance, the Los Angeles, Las Vegas, and New York City Police Departments each 
sent a team of experts to Mumbai. The objective was to meet with Indian counter- 
parts to learn about Mumbai’s response model and then-existing loopholes, which 
knowledge LAPD, LVPD, and NYPD could then apply to their home cities, with an 
eye to closing gaps in their own counterterrorism strategies and operations. More 
initiatives of this kind are needed, as is the continuation of those that already exist 
(such as police exchanges). Endeavors of this type are particularly important in a 
resource-scarce environment, as they can help avoid the need to reinvent the 
wheel.^i 

To obtain a truly “rich picture” of the threat in this country, we must focus on 
the field — not the Beltway. As recent history shows, the military and intelligence 
communities have come to just such a field bias. For the counterterrorism commu- 
nity to do otherwise is to risk stifling and stymieing the good work being done 
where the rubber meets the road. State and local authorities can and should com- 
plement what the Federal Government does not have the capacity or resources to 
collect (or is simply not best-suited to do) in terms of intelligence; and thereby help 
determine the scope and contours of threat domains in the United States. Further 
leveraging our decentralized law enforcement infrastructure could also serve to bet- 
ter power our Fusion Centers, which should be given ample opportunity to flourish. 
The equivalent of Commanders’ Intent, which gives those in the field the leeway to 
do what they need to do and which incorporates an honest “hotwash” after the fact 
to determine what went wrong and how to fix that, is needed in present civilian 
context for counterterrorism and intelligence purposes. Moreover, opportunities still 
exist to tap and apply intelligence and information from the field of organized crime 
to the field of counterterrorism, and vice versa. Hybrid thinking that marries up the 
two fields in this way, in order to further build our reservoir of knowledge on the 
counterterrorism side could prove valuable. 

Straightforward yet powerful steps remain to be taken. This was revealed starkly 
in multiple rounds of survey work — first with the major metropolitan intelligence 
chiefs and later with the fusion centers — that the Homeland Security Policy Insti- 
tute (HSPI) recently completed in an attempt to bring a little science to the art of 
intelligence. For example, too few Fusion Centers currently do threat assessments. 
This is unacceptable, especially in a climate of limited resources in which allocation 
decisions (regarding human, capital, and financial resources) should be priority-or- 
dered, meaning that scarce resources should be directed to those counter-threat 
measures, gaps, and shortfalls that constitute areas of greatest need. And Fusion 
Center-specific threat assessments are just a start. Regional threat assessments are 
also needed. Our adversaries do not respect local. State, or even National bound- 
aries hence our response posture must be similarly nimble and cohesive. Yet accord- 
ing to HSPI survey research published in June of this year, only 29% of Fusion Cen- 
ter respondents reported that their Center conducted a regional threat assessment 
on at least a yearly basis. Almost half reported that their Centers simply did not 
conduct regional threat assessments. Furthermore, those working in the Fusion 
Centers have yet to be invested with the analytical skill-craft and training nec- 
essary for them to accomplish their mission. Current incentive structures place too 
much emphasis on information processing and not enough on analytical outcome. 
Greater resources should be allocated to the professional development of those work- 
ing in the Centers. Within them lies untapped collection and analysis potential. Re- 
alizing and unleashing that potential will further bolster State and local law en- 
forcement efforts, and help develop anticipatory intelligence to prevent terrorist at- 
tacks and the proliferation of criminal enterprise operations.^^ In tandem, and with- 


Frank J. Cilluffo, “The Future of Homeland Security: Evolving and Emerging Threats” 
Hearing Before the Senate Committee on Homeland Security & Governmental Affairs (July 11, 
2012) httpij / ivww.givumc.edu I hspi I policy j Testimony%20-%20SHSGAC%20Hearing%20- 

%201 1 %20July%202012.pdf 
2:*^ Cilluffo, “U.S. -India Counterterrorism Cooperation.” 

22 Frank J. Cilluffo, Joseph R. Clark, Michael P. Downing, and Keith D. Squires “Counterter- 
rorism Intelligence: Fusion Center Perspectives” HSPI Counterterrorism Intelligence Survey Re- 
search (CTISR) (June 2012). http:/ I www.gwumc.edu I hspi I policy I HSPI%20Counterterrorism- 

Continued 



28 


out taking anything away from the Fusion Centers, Joint Regional Intelligence 
Groups (JRIGs) also have a role to play, including by helping to place National 
threat information into State and local context. 

DHS continues to mature over time. However its capacities generally still remain 
reactive in nature. As a result, the Department’s internal capabilities to assess fu- 
ture threats and then take actions are not yet evolved to the level that the security 
ecosystem demands. This is a significant shortfall, especially relative to the cyber 
domain where threats may morph and metastasize in milliseconds. Volume and pace 
in the cyber arena alone make for a serious challenge, including the potential for 
damage to critical U.S. infrastructure such as water and power systems, and tele- 
communications and finance. Since (as mentioned above) cyber tools/attacks may 
also be leveraged, acting as a force multiplier in connection with kinetic actions un- 
dertaken by our adversaries, the ability to look over the horizon and think cre- 
atively, including through the eyes of those of those who may bear hostile intent 
towards this country, is to be prized. Yet DHS does not currently have the built- 
in structural capacity to do so. Precisely because the Department must be able to 
respond to a wide range of threats that may materialize quickly, an Office of Net 
Assessment (ONA) could and should be created. 

The ONA would fill the much-needed role of brain trust, while remaining unfet- 
tered by the “crisis du jour” or the day-to-day demands flowing from intelligence 
needs and operations. The ever-shifting and unpredictable security environment fac- 
ing the United States requires the constant questioning of assumptions, the asking 
of what-ifs, and the thinking of the unthinkable, all in order to identify game chang- 
ers. The ONA should take a comprehensive, multi-disciplinary approach to its anal- 
ysis, looking at the full range of factors which will alter and shape the security envi- 
ronment of the future, including social, political, technological, economic, demo- 
graphic, and other trends. The duties of ONA should include studying existing 
threats in order to project their evolution into the future; studying trends in the 
weapons, technologies, modalities, and targets utilized by our adversaries (i.e., the 
events that can transform the security landscape); reviewing existing U.S. capabili- 
ties in order to identify gaps between current capabilities and the requirements of 
tomorrow’s threats; conducting war games and red team scenarios to introduce inno- 
vative thinking on possible future threats; assessing how terrorist groups/cells could 
operate around, and/or marginalize the effectiveness of, policies and protective 
measures. Admittedly, this is a tall order. The alternative, however, is to walk into 
the future partly blind and thus remain more vulnerable than we need to or should 
be. 

This proposal is not new, I should add. To the contrary, it appeared in the Janu- 
ary 2007 Homeland Security Advisory Council Report of the Future of Terrorism 
Task Force, for which I served as Vice Chairman together with Chairman Lee Ham- 
ilton.23 Now is the time — indeed it is well past time — to take this recommendation 
off the page and enact it. Our adversaries are patient and they are long-term think- 
ers whose horizons extend well beyond weeks and months. To help counter them 
effectively, we must not lose sight of the long game either. Indeed, the general quali- 
ties needed from an organizational standpoint (U.S./DHS) mirror many of the traits 
that our adversaries have exhibited over time. They are proactive, innovative, well- 
networked, flexible, patient, young and enthusiastic, technologically savvy, and 
learn and adapt continuously based upon both successful and failed operations 
around the globe. We and our Government must be and do likewise. Our institu- 
tions, both their structure and culture, must be responsive to the ever-changing 
threat environment. This entails much more than rearranging boxes on an organiza- 
tion chart. Together with policy and technology, people are a crucial component of 
the equation. Organizational change will not take root unless supported by cultural 
change, which in turn takes time, leadership, and both individual and community 
commitment. Many at DHS have worked long and hard to bring about a cohesive 
and collaborative culture that drives mission success; but we would do well to keep 
striving on that front, if only because sustaining an end-state can be as difficult as 
arriving at it in the first place. 

The type of forward-leaning assessment and evaluation described above could 
have a range of salutary knock-on effects, including the possibility of better-cali- 
brated budgeting, operational planning, and acquisitions, through the provision of 
a foundation from which forward-estimates may be derived. As things now stand. 


%20IntelUgence%20-%20Fusion%20Center%20Perspectives%206-26-12.pdf See also Frank J. 
Cilluffo, Joseph R. Clark, and Michael P. Downing “Counterterrorism Intelligence: Law Enforce- 
ment Perspectives” CTISR (September 2011). http:! I wwiv.gwumc.edu Ihspil policy t 
HSPl%20Research%20Brief%20-%20Counterterrorism%201ntelligence.pdf. 

23 http: 1 1 www.dhs.gov i xlibrary I assets ! hsae-future-terrorism-01 01 07.pdf. 



29 


the Department still has a ways to go in terms of aligning actions with future 
threats — although the Quadrennial Homeland Security Review (QHSR), while less 
than perfect, has served as a useful starting point. Still, as a mechanism and proc- 
ess for helping to bring DHS resources and plans into sync with the threat environ- 
ment, the QHSR is not as forward-leaning as it could or should be. The country 
would be better served by a more robust posture and process, one that anticipates 
threats before they manifest, and that allows the Secretary to determine what tools 
are needed for meeting them, what force structure is needed (at the Federal, State, 
and local levels), and what resources are needed from Congress to make that plan 
a reality. Importantly, we do not yet have a true “rich picture” of the domestic 
threat landscape because the National Intelligence Estimate (NIE) does not fully 
elaborate upon that dimension. This gap must be remedied, with State and local of- 
ficials at the heart of that exercise, because they are best-positioned to undertake 
the task. 

Cyber threats in particular manifest in nanoseconds, and we need to be able to 
enact cyber response measures that are almost as quick. This means developing and 
implementing an “active defense” capability to immediately attribute and counter 
attacks and future threats in real-time. Although much work remains to be done 
on the counterterrorism side, the country has achieved significant progress in this 
area. In contrast, the U.S. cybersecurity community’s state of development is akin 
to that of the counterterrorism community as it stood shortly after 9/11. Despite 
multiple incidents that could have served as galvanizing events to shore up U.S. re- 
solve to formulate and implement the changes that are needed, and not just within 
Government, we have yet to take those necessary steps. Officials in the homeland 
security community should therefore undertake contingency planning that incor- 
porates attacks on U.S. infrastructure. At minimum, “red-teaming” and additional 
threat assessments are needed. The latter should include modalities of attack and 
potential consequences. Working together with DHS Intelligence and Analysis col- 
leagues, the Department’s National Protection and Programs Directorate (NPPD) 
could and should do more in terms of threat and intelligence reporting, especially 
in relation to critical infrastructure, where DHS is well-positioned to add real and 
unique value given the Department’s relationship with and responsibilities towards 
the private sector. Consider the cyber-attacks on Saudi Aramco and Qatari RasGas 
this past summer, which hit thousands of computers at these critical oil and gas 
producers with a virus. As events unfolded, one would expect that counterpart in- 
dustries here in the United States would have welcomed DHS products that directly 
assessed these events and kept U.S. owners and operators abreast of latest develop- 
ments, their broader significance and potential follow-on implications. 

The United States should also develop and clearly articulate a cyber-deterrence 
strategy. Such a deterrence policy should apply generally, and also in a tailored 
manner that is actor/adversary-specific. A solid general posture could serve as an 
80 percent solution, neutralizing the majority of threats before they manifest fully. 
This, in turn, would free up resources (human, capital, technological, etc.) to focus 
our limited resources and bandwidth on the high-end of the threat spectrum and 
on those which are most sophisticated and persistent. To operationalize these rec- 
ommendations, we must draw lines in the sand. Preserving flexibility of U.S. re- 
sponse by maintaining some measure of ambiguity is useful, so long as we make 
parameters clear by laying down certain markers or selected redlines whose breach 
will not be tolerated. More investment needs to be made in our offensive capability 
as well, in order to support the foregoing proposals in terms of practice and at the 
level of principle (to signal a credible commitment). Cybersecurity by definition is 
transnational in nature and will require some level of transnational solutions, yet 
it must not be approached like an arms control treaty (i.e., attribution and 
verification are still a ways away). Notably NPPD, which manages the cyber-port- 
folio for DHS, has done some good work in the international arena, including cyber- 
specific capacity-building efforts and exercises, in multilateral settings and with bi- 
lateral partners. However, as the Department’s Inspector General noted in a report 
issued just this month,^^ DHS must continue to build on its Cybersecurity Strategy 


24 DHS Office of Inspector General, DHS Can Strengthen Its International Cybersecurity Pro- 
grams (Redacted) (August 2012) httpil I www.oig.dhs.gov I assets I Mgmt j 2012 1 OIGr 12- 

112_Augl2.pdf. 



30 


of November 2011,^® such as by clearly delineating “roles and responsibilities” for 
NPPD.26 

Plainly we have not yet made the requisite business case for the private sector 
to undertake and implement needed cybsecurity measures. This represents a funda- 
mental problem, given that the majority of critical infrastructure in this country is 
owned and operated by the private sector. The urgency for making this case needs 
no further explanation, hut we must take care to strike just the right balance of 
carrots — such as tax breaks, priority in Government contracting opportunities, and 
indemnification of liability, allowing those who have done what has been asked of 
them to avoid costly litigation — and sticks; and of measures that ensure both pri- 
vacy and security. To help ensure compliance with standards and best practices, a 
“Good Housekeeping” seal of approval could be granted to those who meet the bar. 
To the extent that this encourages industry-wide adoption and robust outcomes, 
such measure could spur the insurance and reinsurance sectors to step into the fray. 
In addition, the Federal Government has a responsibility to share threat informa- 
tion (i.e., signatures, hostile plans and techniques to degrade, disrupt or destroy sys- 
tems) that places our critical infrastructures at risk. The pilot program introduced 
within the confines of the defense industrial base offers a solid starting point, and 
an example of a promising information-sharing environment.^^ It probably should 
go without saying, but part of leading by example also entails the U.S. Government 
striving to place its own house in order, as a crucial corollary to meeting the threat. 

In conclusion, the challenges that lie on the horizon remain substantial, but with 
the requisite will and leadership — to lean forward and exhibit a field bias towards 
military, intelligence community, and law enforcement experts on the front lines — 
the country can and will continue to make progress towards meeting those impera- 
tives. Again, I wish to thank the Committee and its staff for the opportunity to tes- 
tify today, and I would be pleased to try to answer any questions that you may 
have. 

Chairman King. Thank you, Mr. Cilluffo. 

Our final witness is Mr. David Maurer. He is a GAO director in 
the Homeland Security and Justice Team, where he leads GAO’s 
work reviewing DHS and DOJ management issues. His recent 
work in these areas includes DHS management integration, the 
Quadrennial Homeland Security Review, Secret Service financial 
management, DOJ grant management. Federal prison system, and 
an assessment of technologies for detecting explosives in the pas- 
senger rail environment. 

Mr. Maurer has testified before this committee several times 
and, surprisingly, he has agreed to come back again. So we thank 
you very much for your testimony, and look forward to it. Thank 
you for your service. 

STATEMENT OF DAVID C. MAURER, DIRECTOR, HOMELAND SE- 
CURITY AND JUSTICE, GOVERNMENT ACCOUNTABILITY OF- 
FICE 

Mr. Maurer. Great. Thank you very much. Good morning. 
Chairman King, Ranking Member Thompson, other Members and 
staff. I am pleased to be here today to talk about DHS’s on-going 
efforts to build a unified Department and position itself for the fu- 
ture. 

Since it began operations nearly a decade ago, DHS has made 
significant strides. Today, it has almost $60 billion in budget au- 
thority to carry out a wide variety of critical missions. Fending off 


Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security 
Enterprise http: / / www.dhs.gov I xlibrary I assets / nppd / blueprint-for-a-secure-cyber-future.pdf. 

26 Mickey McCarter, “NPPD Lacks Strategy To Guide International Cybersecurity Efforts” 
Homeland Security Today (September 4, 2012) http:! ! www.hstoday.usl 

index.php?id=3392&no cache=l&tx ttnews%5Btt news%5D=25801 . 

2'^ Frank J. Cilluffo and Andrew Robinson, ‘While Congress Dithers, Cyber Threats Grow 
Greater” Nextgov.com (July 24, 2012) http:] lwww.nextgov.com ! cybersecurity 12012 ! 07 ! while- 
congress-dithers-cyber-threats-grow-greater 156968 / . 



31 


terrorist threats, securing the border, safeguarding cyberspace, and 
providing disaster relief. 

However, DHS has considerable work ahead to address weak- 
nesses in its current operations and management that hinder the 
Department’s ability to achieve its full potential. As a result, DHS 
remains on our high-risk list. My main message today is this. At 
the root of many of the Department’s problems is a fundamental 
cross-cutting and significant challenge; namely, DHS needs to do a 
better job managing its resources. 

Specifically, DHS needs a strong, unified management founda- 
tion that enables its components to execute their vital missions. 
DHS also needs to ensure that increasingly scarce resources are 
strategically managed and aligned with risk-based priorities. Mak- 
ing tough, informed resource decisions is important because DHS 
will never have enough people, money, and systems to fully address 
every threat. 

DHS has a lot of work ahead to achieve these goals. Two years 
ago, to help DHS with that task we identified 31 actions and out- 
comes that are critical to addressing the Department’s challenges. 
DHS agreed to achieve these outcomes, and has taken actions to 
do so. But DHS isn’t there yet. 

It currently lacks vital management capabilities to integrate the 
Department into something greater than the sum of its parts. For 
example, nearly every major DHS acquisition program has experi- 
enced funding instability, workforce shortfalls, and/or changes to 
their planned capabilities. DHS morale scores consistently among 
the lowest in the Federal Government. 

DHS has twice attempted, and failed, to build an integrated De- 
partment-wide financial management system. The Department has 
also struggled to achieve strategic visibility over how it allocates its 
resources. For example. Congress has appropriated nearly $40 bil- 
lion for DHS grant programs, however DHS has limited visibility 
over how these funds are used, does not effectively coordinate 
across its various programs, and lacks mechanisms for assessing 
grant effectiveness. 

DHS also does not know how much it spends on research and de- 
velopment activities, and lacks policies to define and coordinate 
R&D across the Department. DHS says it plans to spend $167 bil- 
lion on major acquisition programs in the coming years. But that 
is, at best, an educated guess. 

Most programs lack validated cost estimates, and DHS is still in 
the early stages of grappling with strategically managing these pro- 
grams as a portfolio rather than on an individual basis. In recent 
years, DHS has worked hard to fix problems like these, and has 
achieved some key successes. For example, DHS obtained a quali- 
fied audit opinion on its balance sheet for the first time since its 
operation last year. 

It has significantly lowered its senior leadership vacancy rates. 
It has developed a promising new approach for reviewing its IT in- 
vestments. We have also seen substantial senior-level support for 
a series of plans to help ensure that DHS’s missions are supported 
by a sound management infrastructure. 

In particular, the Department’s June 2012 strategy for address- 
ing its high-risk designation is a good road map for taking DHS to 



32 


where it wants to be. Looking ahead, DHS needs to show continued 
progress executing this ambitious agenda. Now, I know that “man- 
agement” is not the most exciting word in the world, but it is vital. 

In fact, management is the glue that holds DHS together, the 
daily missions of the various DHS components, and the threats 
that they address very widely. To ensure the Department works as 
one, DHS needs a clear common vision, a unified management 
structure, and the ability to make tough, risk-based resource deci- 
sions to ensure that strategies drive budgets and not the other way 
around. 

DHS has made important strides achieving these goals, but the 
Department still has a great deal of work ahead. Improving how 
it manages its resources will help DHS carry out its vital missions 
and help secure the homeland. 

Mr. Chairman, thank you for the opportunity to testify this 
morning. I look forward to your questions. 

[The prepared statement of Mr. Maurer follows:] 

Prepaked Statement of David C. Maurer 
September 20, 2012 

department of homeland security. — CONTINUED PROGRESS MADE IMPROVING AND 
INTEGRATING MANAGEMENT AREAS, BUT MORE WORK REMAINS 

GAO-12-1041T 

Chairman King, Ranking Member Thompson, and Members of the committee: I 
am pleased to be here today to discuss the Department of Homeland Security’s 
(DHS) efforts to strengthen and integrate its management functions. DHS now has 
more than 200,000 employees and an annual budget of almost $60 billion, and its 
transformation is critical to achieving its homeland security and other missions. 
Since 2003, GAO has designated the implementation and transformation of DHS as 
high-risk because DHS had to combine 22 agencies — several with major manage- 
ment challenges — into one Department, and failure to effectively address DHS’s 
management and mission risks could have serious consequences for our National 
and economic security. ^ This high-risk area includes challenges in strengthening 
DHS’s management functions — financial management, acquisition management, 
human capital, and information technology (IT) — the effect of those challenges on 
DHS’s mission implementation, and challenges in integrating management func- 
tions within and across the Department and its components. 

In November 2000, we published our criteria for removing areas from the high- 
risk list.2 Specifically, agencies must have: (1) A demonstrated strong commitment 
and top leadership support to address the risks; (2) the capacity (that is, the people 
and other resources) to resolve the risks; (3) a corrective action plan that identifies 
the root causes, identifies effective solutions, and provides for substantially com- 
pleting corrective measures in the near term, including but not limited to steps nec- 
essary to implement solutions we recommended; (4) a program instituted to monitor 
and independently validate the effectiveness and sustainability of corrective meas- 
ures; and (6) the ability to demonstrate progress in implementing corrective meas- 
ures. 

On the basis of our prior work, in a September 2010 letter to DHS, we identified, 
and DHS agreed to achieve, 31 actions and outcomes that are critical to addressing 
the challenges within the Department’s management areas and in integrating those 
functions across the Department to address the high-risk designation.^ These key 
actions and outcomes include, among others, obtaining and then sustaining unquali- 
fied audit opinions for at least 2 consecutive years on the Department-wide financial 


^GAO, High-Risk Series: An Update, GAO— 03— 119 (Washington, DC: January 2003); GAO, 
High-Risk Series: An Update, GAO-09-271 (Washington, DC: January 2009); High-Risk Series: 
An Update, GAO-07— 310 (Washington, DC: January 2007); and High-Risk Series: An Update, 
GAO-05— 207 (Washington, DC: January 2005). 

2 GAO, Determining Performance and Accountability Challenges and High Risks, GAO-01— 
159SP (Washington, DC: November 2000). 

^See appendix I for a summary of the 31 actions and outcomes. 



33 


statements; validating required acquisition documents in accordance with a Depart- 
ment-approved, knowledge-based acquisition process; and demonstrating measur- 
able progress in implementing its IT human capital plan and accomplishing defined 
outcomes."*^ In January 2011, DHS issued its initial Integrated Strategy for High- 
Risk Management, which included key management initiatives (e.g., financial man- 
agement controls, IT program governance, and procurement staffing model) to ad- 
dress challenges and the outcomes we identified for each management area. DHS 
provided updates of its progress in implementing these initiatives in later versions 
of the strategy — June 2011, December 2011, and June 2012. Achieving and sus- 
taining progress in these management areas would demonstrate the Department’s 
ability and on-going commitment to addressing our five criteria for removing issues 
from the high-risk list. 

My testimony this morning, as requested, will discuss our observations, based on 
prior and on-going work, on DHS’s progress in achieving outcomes critical to ad- 
dressing its high-risk designation for the implementation and transformation of the 
Department. 

This statement is based on prior reports and testimonies we issued from June 
2007 through September 2012 and letters we submitted to DHS in March and No- 
vember 2011 providing feedback on the Department’s January and June 2011 
versions of its Integrated Strategy for High-Risk Management.^ For the past prod- 
ucts, among other methodologies, we interviewed DHS officials; analyzed DHS strat- 
egies and other documents related to the Department’s implementation and trans- 
formation high-risk area; and reviewed our past reports, issued since DHS began 
its operations in March 2003. All of this work was conducted in accordance with 
generally accepted Government auditing standards; more-detailed information on 
the scope and methodology from our prior work can be found within each specific 
report. This statement is also based on observations from our on-going work related 
to DHS IT investments.® For this work, we analyzed recent cost and schedule per- 
formance for DHS’s major IT investments as reported to the Office of Management 
and Budget as of March 2012. We will report on the final results of this review later 
this month. We are conducting this work in accordance with generally accepted Gov- 
ernment auditing standards. Those standards require that we plan and perform the 
audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions based on our 
audit objectives. 

DHS HAS MADE PROGRESS IN ADDRESSING ITS MANAGEMENT CHALLENGES, BUT HAS 
SIGNIFICANT WORK AHEAD TO ACHIEVE HIGH-RISK OUTCOMES 

Since we designated the implementation and transformation of DHS as high-risk 
in 2003, DHS has made progress addressing management challenges and senior De- 
partment officials have demonstrated commitment and top leadership support for 
addressing the Department’s management challenges. However, the Department 
has significant work ahead to achieve positive outcomes in resolving high-risk 
issues. For example, DHS faces challenges in modernizing its financial systems, im- 
plementing acquisition management controls, and improving employee satisfaction 
survey results, among other things. As DHS continues to mature as an organization, 
it will be important for the Department to continue to strengthen its management 
functions, since the effectiveness of these functions affects its ability to fulfill its 
homeland security and other missions. 

Financial management. — DHS has made progress in addressing its financial man- 
agement and internal controls weaknesses, but has been unable to obtain an un- 
qualified audit opinion on its financial statements since the Department’s creation 
and faces challenges in modernizing its financial management systems. DHS has, 
among other things. 


'I An unqualified opinion states that the audited financial statements present fairly, in all ma- 
terial respects, the financial position, results of operations, and cash flows of the entity in con- 
formity with generally accepted accounting principles. 

® See the related products list at the end of this statement. 

®This review is being conducted at the request of this Committee’s Subcommittee on Over- 
sight, Investigations, and Management; and Senator Thomas Carper, Chairman, Subcommittee 
on Federal Financial Management, Government Information, Federal Services and International 
Security of the Senate Committee on Homeland Security and Governmental Affairs. 



34 


• reduced the number of material weaknesses in internal controls from 18 in 2003 
to 5 in fiscal year 2011;^ 

• achieved its goal of receiving a qualified audit opinion on its fiscal year 2011 
consolidated balance sheet and statement of custodial activity for the first time 
since the Department’s creation;® 

• established a goal of obtaining an audit opinion on all of its fiscal year 2012 
financial statements; and 

• expanded the scope of the annual financial audit to the complete set of fiscal 
year 2012 financial statements, which DHS believes will help it to obtain an 
unqualified opinion for fiscal year 2013.® 

However, DHS continues to face challenges in financial management. For exam- 
ple, DHS anticipates difficulties in providing its auditors transaction-level detail to 
support balances reported in its fiscal year 2012 financial statements in order to ob- 
tain an opinion on its financial statements. This is due to, among other things, com- 
ponents not retaining original acquisition documentation or enforcing policies re- 
lated to recording purchases and making pa 3 mients. DHS also anticipates its audi- 
tors issuing a disclaimer in their fiscal year 2012 report on internal controls over 
financial reporting due to material weaknesses in internal controls, such as lack of 
effective controls over the recording of financial transactions related to property, 
plant, and equipment. 

In addition, in December 2011, DHS reported that the Federal Emergency Man- 
agement Agency (FEMA), U.S. Coast Guard (USCG), and U.S. Immigration and 
Customs Enforcement (ICE) have an essential business need to replace their finan- 
cial management systems, but DHS has not fully developed its plans for upgrading 
existing or implementing new financial systems at these agencies. According to 
DHS’s June 2012 version of its Integrated Strategy for High-Risk Management, the 
Department plans to extend the useful life of FEMA’s current system by about 3 
years, while FEMA proceeds with a new financial management system solution, and 
is in the process of identifying the specific approach, necessary resources, and time 
frames for upgrading existing or implementing new financial systems at USCG and 
ICE. Without sound processes, controls, and systems, DHS faces long-term chal- 
lenges in obtaining and sustaining an unqualified opinion on both its financial state- 
ments and internal controls over financial reporting, and ensuring its financial man- 
agement systems generate reliable, useful, timely information for day-to-day deci- 
sion-making. We currently have on-going work related to DHS’s efforts to improve 
its financial reporting that we expect to report on in the spring of 2013. 

Acquisition management . — DHS has made progress in the acquisition manage- 
ment area by enhancing the Department’s ability to oversee major acquisition pro- 
grams. For example: 

• DHS has established eight Centers of Excellence for cost estimating, systems 
engineering, and other disciplines to bring together program managers, senior 
leadership staff, and subject matter experts to promote best practices, provide 
expert counsel, technical guidance, and acquisition management tools; and each 
DHS component has established a Component Acquisition Executive (CAE) to 
provide oversight and support to programs within the component’s portfolio. 
According to DHS, as of June 2012, 75 percent of the core CAE support posi- 
tions were filled. 

• In March 2012, DHS completed the development of a Procurement Staffing 
Model to determine optimal numbers of personnel to properly award and admin- 


A material weakness is a significant deficiency, or a combination of significant deficiencies, 
in internal control such that there is a reasonable possibility that a material misstatement of 
the entity’s financial statements will not be prevented or detected and corrected on a timely 
basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control 
that is less severe than a material weakness, yet important enough to merit attention by those 
charged with governance. A deficiency in internal control exists when the design or operation 
of a control does not allow management or employees, in the normal course of performing their 
assigned functions, to prevent, or detect and correct, misstatements on a timely basis. 

® A qualified opinion states that, except for the effects of the matter(s) to which the qualifica- 
tion relates, the audited financial statements present fairly, in all material respects, the finan- 
cial position, results of operations, and cash flows of the entity in conformity with generally ac- 
cepted accounting principles. The matter(s) to which the qualification relates could be due to 
a scope limitation, or the audited financial statements containing a material departure from 
generally accepted accounting principles, or both. 

® DHS’s complete set of financial statements consist of the Balance Sheet, Statement of Net 
Cost, Statement of Changes in Net Position, Statement of Budgetary Resources, and Statement 
of Custodial Activity. 

i®We are doing this work at the request of the Subcommittee on Federal Financial Manage- 
ment, Government Information, Federal Services and International Security of the Senate Com- 
mittee on Homeland Security and Governmental Affairs. 



35 


ister contracts. In June 2012, DHS reported that it is taking steps to implement 
the staffing model throughout headquarters and the components. 

• DHS included a new initiative (strategic sourcing) in its December 2011 Inte- 
grated Strategy for High-Risk Management to increase savings and improve ac- 
quisition efficiency by consolidating contracts Department-wide for the same 
kinds of products and services. The Office of Management and Budget’s Office 
of Federal Procurement Policy has cited DHS’s efforts among best practices for 
implementing Federal strategic sourcing initiatives. Earlier this month, we re- 
ported that the Department has implemented 42 strategically-sourced efforts 
since the Department’s inception.ii According to DHS data, the Department’s 
spending through strategic sourcing contract vehicles has increased steadily 
from $1.8 billion in fiscal year 2008 to almost $3 billion in fiscal year 2011, rep- 
resenting about 20 percent of DHS’s procurement spending for that year. 

However, DHS continues to face significant challenges in managing its acquisi- 
tions. For example: 

• Earlier this week, we reported that 68 of the 71 program offices we surveyed 
from January through March 2012 responded that they experienced funding in- 
stability, workforce shortfalls, and/or changes to their planned capabilities over 
the programs’ duration.i^ We have previously reported that these challenges in- 
crease the likelihood acquisition programs will cost more and take longer to de- 
liver capabilities than expected. 

• Our recent review of DHS acquisition management also identified that while 
DHS’s acquisition policy reflects many key program management practices that 
could help mitigate risks and increase the chances for successful outcomes, it 
does not fully reflect several key portfolio management practices, such as allo- 
cating resources strategically. DHS plans to develop stronger portfolio man- 
agement policies and processes, but until it does so, DHS programs are more 
likely to experience additional funding instability, which will increase the risk 
of further cost growth and schedule slips. We recommended that DHS take a 
number of actions to help mitigate the risk of poor acquisition outcomes and 
strengthen the Department’s investment management activities. DHS concurred 
with all of our recommendations and noted actions it had taken or planned to 
address them. 

Human capital management. — DHS has taken a number of actions to strengthen 
its human capital management. For example: 

• DHS issued human capital-related plans, guidance, and tools to address its 
human capital challenges, including a Workforce Strategy for 2011-2016; a re- 
vised Workforce Planning Guide, issued in March 2011, to help the Department 
plan for its workforce needs; and a Balanced Workforce Strategy tool, which 
some components have begun using to help achieve the appropriate mix of Fed- 
eral and contractor skills. 

• The Department implemented two programs to address senior leadership re- 
cruitment and hiring, as we reported in February 2012. While DHS’s senior 
leadership vacancy rate was as high as 25 percent in fiscal year 2006, it varied 
between 2006 and 2011 and declined overall to 10 percent at the end of fiscal 
year 2011. 

• DHS developed outreach plans to appeal to veterans and other underrep- 
resented groups. 

While these initiatives are promising, DHS continues to face challenges in human 
capital management. For example: 

• As we reported in March 2012, based on our preliminary observations of DHS’s 
efforts to improve employee morale. Federal surveys have consistently found 
that DHS employees are less satisfied with their jobs than the Government- 
wide average. DHS has taken steps to identify where it has the most signifi- 
cant employee satisfaction problems and developed plans to address those prob- 
lems, such as establishing a Department-wide Employee Engagement Executive 


GAO, Homeland Security: DHS Has Enhanced Procurement Oversight Efforts, hut Needs to 
Update Guidance, GAO-12—947 (Washington, DC: Sept. 10, 2012). 

GAO, Homeland Security: DHS Requires More Diseiplined Investment Management to Help 
Meet Mission Needs, GAO— 12-833 (Washington, DC: Sept. 18, 2012). 

GAO, Department of Homeland Security: Assessments of Complex Acquisitions, GAO-10— 
588SP (Washington, DC: June 30, 2010). 

1“ GAO-12-833. 

13 GAO, DHS Human Capital: Senior Leadership Vacancy Rates Generally Declined, hut Com- 
ponents’ Rates Varied, GAO-12-264 (Washington, DC: Feb. 10, 2012). 

13 GAO-12-264. 

11 GAO, Department of Homeland Seeurity: Preliminary Observations on DHS’s Efforts to Im- 
prove Employee Morale. GAO-12-509T (Washington, DC: Mar. 22, 2012). 



36 


Steering Committee, but has not yet improved employee satisfaction survey re- 
sults. We plan to issue a final report on our findings later this month, 

• As we reported in April 2012, changes in FEMA’s workforce, workload, and 
composition have created challenges in FEMA’s ability to meet the agency’s var- 
ied responsibilities and train its staff appropriately, Eor example, FEMA has 
not developed processes to systematically collect and analyze agency-wide work- 
force and training data that could be used to better inform its decision making. 
We recommended that FEMA, among other things, identify long-term quantifi- 
able mission-critical goals, establish lines of authority for agency-wide workforce 
planning and training efforts, and develop systematic processes to collect and 
analyze workforce and training data. DHS concurred with our recommendations 
and reported actions underway to address them. 

Information technology management . — DHS has made progress in strengthening 
its IT management, but the Department has much more work to do to fully address 
its IT management weaknesses. Among other accomplishments, DHS has: 

• strengthened its enterprise architecture;®® 

• defined and begun to implement a vision for a tiered governance structure in- 
tended to improve program and portfolio management, as we reported in July 
2012 ;®! 

• established a formal IT Program Management Development Track and staffed 
Centers of Excellence with subject matter experts to assist major and non-major 
programs. 

Based on preliminary observations from our review of DHS’s major at-risk IT ac- 
quisitions we are performing for the committee, these improvements may be having 
a positive effect. Specifically, as of March 2012, approximately two-thirds of the De- 
partment’s major IT investments we reviewed (47 of 68) were meeting current cost 
and schedule commitments (i.e. goals). 

DHS has made progress, but the Department has much more work to do to fully 
address its IT management weaknesses. For example, the Department needs to: 

• finalize the policies and procedures associated with its new tiered governance 
structure and continue to implement this structure, as we recommended in our 
July 2012 report;®® 

• continue to implement its IT human capital plan, which DHS believed would 
take 18 months to fully implement as of June 2012; and 

• continue its efforts to enhance IT security by, among other things, effectively 
addressing material weaknesses in financial systems security, developing a plan 
to track and promptly respond to known vulnerabilities, and implementing key 
security controls and activities. 

Management integration . — DHS has made progress in integrating its individual 
management functions across the Department and its component agencies. For ex- 
ample, DHS has put into place common policies, procedures, and systems within in- 
dividual management functions, such as human capital, that help to integrate its 
component agencies, as we reported in September 2011.®® To strengthen this effort, 
in May 2012, the Secretary of Homeland Security modified the delegations of au- 
thority between the Management Directorate and their counterparts at the compo- 
nent level. According to DHS, this action will provide increased standardization of 
operating guidelines, policies, structures, and oversight of programs. Additionally, 
DHS has taken steps to standardize key data elements for the management areas 
across the Department to enhance its decision making. For example, in April 2012, 
the under secretary for management appointed an executive steering committee and 
tasked this committee with creating a “Data Mart” to integrate data from disparate 
sources and allow the dissemination of timely and reliable information by March 
2013. Further, consistent with our prior recommendations, DHS has implemented 
mechanisms to promote accountability for management integration among Depart- 


!®We are doing this work at the request of this Committee’s Subcommittee on Oversight, In- 
vestigations, and Management; and Senator Susan Collins, Ranking Member of the Senate Com- 
mittee on Homeland Security and Governmental Affairs. 

GAO, Federal Emergency Management Agency: Workforce Planning and Training Could Be 
Enhanced by Incorporating Strategic Management Principles, GAO-12^87 (Washington, DC: 
Apr. 26, 2012). 

20 An enterprise architecture can be viewed as a blueprint for organizational transformation 
and IT modernization. 

2! GAO, Information Technology: DHS Needs to Further Define and Implement Its New Gov- 
ernance Process, GAO-12-818 (Washington, DC: July 25, 2012). 

22 GAO-12-818. 

22 GAO, Department of Homeland Security: Progress Made and Work Remaining in Imple- 
menting Homeland Security Missions 10 Years after 9 ! 11, GAO— 11-881 (Washington, DC: Sept. 
7, 2011). 



37 


ment and component management chiefs by, among other things, having the De- 
partment chiefs develop written objectives that explicitly reflect priorities and mile- 
stones for that management function.^'' 

Although these actions are important, DHS needs to continue to demonstrate sus- 
tainable progress in integrating its management functions within and across the De- 
partment and its components and take additional actions to further and more effec- 
tively integrate the Department. For example, DHS recognizes the need to better 
integrate its lines of business. The Integrated Investment Life Cycle Model (IILCM), 
which the Department is establishing to manage investments across the Depart- 
ment’s components and management functions, is an attempt at doing that. DHS 
identified the IILCM as one of its most significant management integration initia- 
tives in January 2011. However, the June 2012 update reported that this initiative 
is in its early planning stages, will be phased in over multiple budget cycles, and 
requires additional resources to fully operationalize. In September 2012, DHS re- 
ported that it has developed draft policy and procedural guidance to support imple- 
mentation of the IILCM and now plans to begin using aspects of this new approach 
to develop portions of the Department’s fiscal years 2015 through 2019 budget. 

DHS strategy for addressing GAO’s high-risk designation. — In January 2011, DHS 
issued an agency-wide management integration strategy — the Integrated Strategy 
for High-Risk Management — as we recommended in our March 2005 report on 
DHS’s management integration efforts.^® DHS’s most recent version of the strategy, 
issued in June 2012, greatly improved upon prior versions and addressed feedback 
we previously provided by, for example, identifying key measures and progress rat- 
ings for the 18 initiatives included in the strategy and the 31 outcomes.^® We be- 
lieve the June 2012 strategy, if implemented and sustained, provides a path for 
DHS to address our high-risk designation. 

DHS can further strengthen or clarify its Integrated Strategy for High-Risk Man- 
agement to better enable DHS, Congress, and GAO to assess the Department’s 
progress in implementing its management initiatives by, among other things: Deter- 
mining the resource needs for all of the corrective actions in the strategy; commu- 
nicating to senior leadership critical resource gaps across all initiatives; and identi- 
fying program and project risks in a supporting risk mitigation plan for all initia- 
tives. 

Going forward, DHS needs to continue implementing its Integrated Strategy for 
High-Risk Management and show measurable, sustainable progress in implementing 
its key management initiatives and corrective actions and achieving outcomes. We 
will continue to monitor, assess, and provide feedback on DHS’s implementation and 
transformation efforts through our on-going and planned work, including the 2013 
high-risk update that we expect to issue in January 2013. 

Chairman King, Ranking Member Thompson, and Members of the committee, this 
concludes my prepared statement. I would be pleased to respond to any questions 
that you may have. 

Appendix I: Summary of Actions and Outcomes foe Addressing the Imple- 
menting AND Transforming the Department of Homeland Security High- 

Risk Area 

On the basis of our prior work, in a September 2010 letter to the Department of 
Homeland Security (DHS), we identified 31 actions and outcomes that are critical 
to addressing the challenges within the Department’s management areas and in in- 
tegrating those functions across the Department, thus addressing the high-risk des- 
ignation. This appendix provides a summary of the 31 actions and outcomes. 

financial management 

1. Maintain top management commitment to correcting weaknesses. 

2. Address internal control, business process, and systems weaknesses. 

3. Commit sufficient resources to implement financial system modernization 

and complete a full-scope audit of the Department’s basic financial statements. 

4. Expand scope of financial statement audit to include an opinion on all of the 

Department’s basic financial statements. 

5. Sustain clean opinions for at least 2 consecutive years. 

6. Comply with the Federal Financial Management Improvement Act of 1996. 


GAO, Department of Homeland Security: Actions Taken Toward Management Integration, 
but a Comprehensive Strategy Is Still Needed, GAO-10— 131 (Washington, DC: Nov. 20, 2009). 

^®GAO, Department of Homeland Security: A Comprehensive and Sustained Approach Needed 
to Achieve Management Integration, GAO— 05-139 (Washington, DC: Mar. 16, 2005). 
26GAO-10-131. 



38 


7. Embrace best practices for financial system modernization. 

8. Establish contractor oversight mechanisms for financial system moderniza- 
tion. 

9. Successfully implement new or upgrade existing financial systems as needed 
throughout the Department, including the U.S. Coast Guard (USCG), Federal 
Emergency Management Agency (FEMA), and U.S. Immigration and Customs 
Enforcement (ICE). 


ACQUISITION MANAGEMENT 

1. Validate required acquisition documents in a timely manner at major mile- 
stones, including life-cycle cost estimates, in accordance with a Department-ap- 
proved, knowledge-based acquisition process. 

2. Improve component acquisition capability. 

3. Establish a Joint Requirements Council or a similar body. 

4. Ensure a sufficient number of trained acquisition personnel are in place at 
the Department and component levels. 

5. Establish and demonstrate measurable progress in achieving goals that im- 
prove programs’ compliance with the Department’s established processes and 
policies. For major acquisitions, demonstrate that actual cost and schedule per- 
formance are within baseline thresholds. 

HUMAN CAPITAL MANAGEMENT 

1. Implement a human capital strategic plan. 

2. Link workforce planning to other Department planning efforts. 

3. Enhance recruiting to meet current and long-term needs. 

4. Base human capital decisions on competencies and performance. 

6. Seek employees’ input to strengthen human capital approaches and activities. 

6. Improve scores on the Office of Personnel Management’s Federal Employee 
Viewpoint Survey. 

7. Assess and improve training, education, and development programs. 

INFORMATION TECHNOLOGY MANAGEMENT 

1. Demonstrate achievement of stage 4 of GAO’s Enterprise Architecture Man- 
agement Maturity Framework (that is, completing and using an enterprise ar- 
chitecture for targeted results). 

2. Establish and implement information technology (IT) investment manage- 
ment best practices. 

3. Establish and implement IT system acquisition management processes. 

4. Show progress in implementing the IT strategic human capital plan. 

6. Demonstrate for at least two consecutive investment increments that cost and 
schedule performance is within the established threshold baseline for major in- 
vestments. 

6. Enhance the security of internal IT systems and networks. 

MANAGEMENT INTEGRATION 

1. Implement actions and outcomes in each management area. 

2. Revise management integration strategy to address characteristics we pre- 
viously recommended, such as set implementation goals and a time line to mon- 
itor progress. 

3. Establish performance measures to assess progress made in achieving De- 
partment-wide management integration. 

4. Promote accountability for management integration among Department and 
management chiefs through the performance management system. 

Chairman King. Thank you, Mr. Maurer. 

Now I will recognize myself for questions. I would ask this ques- 
tion of each of you. Mr. Baker gave the Department an A as far 
as thinking seriously about keeping terrorists out. I would like to 
ask each of you, though, how effective do you think DHS has been 
in making itself part of the counterterrorism community, the intel- 
ligence community, and receiving the cooperation from the other 
big players? 

What appeared to be my personal experience at the time, at least 
anecdotally, they were not getting the respect early on. They were 



39 


considered, you know, the new kids on the block. Has that im- 
proved, and how well-integrated are they into a cohesive counter- 
terrorism system? 

Mr. Skinner. 

Mr. Skinner. I do agree that early on they did not get the re- 
spect that they should have. At the time I left, I think they were 
still facing challeng:es with bringing something to the table, so to 
speak, in the intelligence community. A lot of this dealt with the 
simple issues of trust. Other issues were just the mere nature of 
what they were bringing to the table. 

It was historic data. It wasn’t something, a strategic dialogue, as 
to where the challenges were. I think someone hit on this earlier 
today. That we need to do a better job of actually stepping back 
and thinking the what-ifs that can occur in this country. Also the 
things that we can be doing better with regard to infrastructure. 

So in my assessment, I think we have a very, very long way to 
go yet in the intelligence community as far as being a major player, 
at least at the time I left about 18 months ago. 

Chairman King. Thank you. 

Secretary Baker. 

Mr. Baker. Well, I used to say that — at the beginning of DHS, 
your assessment is quite correct. I once described hiring Charlie 
Allen as the equivalent of the Mets hiring Casey Stengel. It gave 
us more credibility than we had before, but we still have a long 
way to go. 

DHS is an unusual participant in the intelligence community. 
There are a lot of participants who are basically takers of intel- 
ligence and analysts of the intelligence that they get. Then there 
are some very big producers of intelligence. DHS is neither of those 
things. It does analyze intelligence, and it does produce intelligence 
of a sort. Particularly travel data. 

That has proven to be increasingly useful. So my sense is that, 
indeed, there is a little bit of tension between them and NCTC over 
who is in charge of gathering and using this data. You know, if you 
have turf tension that suggests you are contributing something 
that somebody else would like to be contributing. 

So I think they have moved forward substantially. One area they 
are not yet maximizing their opportunities in is cyber, where we 
know a lot about the attackers. We learn that by using law enforce- 
ment authorities. DHS has all these law enforcement investigators. 
Secret Service and ICE, that should be carrying out law enforce- 
ment investigations strategically to learn more about our attackers 
and then embarrass them as dramatically as possible. 

My sense is that the law enforcement guys are all overdoing 
their investigations without a lot of coordination and a lot of strat- 
egy from NPPD and the cyber operations. We could contribute 
more if we were a little more strategic about how we used our law 
enforcement resources. 

Chairman King. Thank you. 

Mr. Cilluffo. 

Mr. Cilluffo. Clearly, intelligence is the lifeblood for our cam- 
paign against terrorism in all facets. I would argue that I probably 
take a less positive view in terms of where the Department is writ 
large. First, I don’t think we have the equivalent. We all know Na- 



40 


tional intelligence estimates in terms of racking and stacking capa- 
bilities of our adversaries overseas. 

We have intelligence estimates that look at threats to the home- 
land. But what do we have where you have a legitimate home- 
grown threat? The foreign-domestic divide is blurring today. Social 
technology and everything else makes it very difficult. The word 
over here has an effect over there, and vice versa. 

So I would argue the emphasis should be pushing out our capa- 
bilities to support and enable our fusion centers on the front lines. 
State and local law enforcement is ultimately best positioned and, 
in many cases, most competent to deal with these issues. 

The joint regional intelligence groups that the FBI is standing 
up, we have got to find ways to make sure that all these pieces can, 
in fact, come together. To take National data, to put it into local 
context. Ultimately, that is translating that data for our State and 
local authorities who are best positioned to address these issues. 

On the cyber side, we have a long ways to go. I mean, if you look 
back since 9/11, I would argue the greatest breakthroughs which 
no one is really talking about in our counterterrorism efforts have 
been the synchronization of Titles 10 and Title 50; basically, where 
the intelligence community meets the defense establishment. 

Cyber. This is an area where we clearly need to look at some of 
those same synchronizations of authorities and capabilities. Doesn’t 
exist at the State and local. Then when you start looking at the 
homeland, in particular, I think Stewart captured it. NSA has got 
the capability, DHS has the authority. NSA doesn’t have many of 
the authorities, and DHS doesn’t have many of the capabilities. 

How do we start bridging that gap in a way that is true to who 
we are as a country from a privacy perspective? I think that is the 
big issue we are all struggling with right now. 

Chairman King. Thank you. 

Mr. Maurer. 

Mr. Maurer. Yes. Mr. Chairman, I mean obviously, over the 
course of the last decade there have been a number of substantial 
changes in the overall structure of the intelligence community. I 
mean, sort of operating in parallel with a stand-up in operation of 
DHS was the creation of the NCTC, the standing up of OD&I, the 
fundamental restructuring and refocus of the FBI. 

All these things were happening simultaneously. DHS is clearly 
at the table as part of this on-going effort. I wouldn’t characterize 
them as playing their leading role. In some respects, appropriately 
so. FBI is late on some things, for example. We issued a report ear- 
lier this morning looking at DHS’s central efforts to improve infor- 
mation sharing of terrorist-related information. 

What we found there was encouraging. We think that DHS is on 
a good path on that front. They have shown good leadership. We 
are concerned about their lack of metrics to be able to establish 
whether or not they are making progress towards their goals. But 
we think they are off to a good start in that respect. 

So we will be certainly watching that area, as well. That is an- 
other one of our high-risk issues, and DHS is one of 5 main agen- 
cies that play in that realm. 

Chairman King. Thank you. 



41 


My time has expired. I would ask you if you could get back to 
me in writing. I have two quick questions. No. 1: How significant 
is it that the Saint Elizabeths project has been pushed back? How 
important is it for the Department to have, you know, one coherent 
central location? 

Second: Is there any way that the progress of DHS could be com- 
pared to the growth of the Defense Department after World War 
II? Are they on the same path? 

With that, I yield to the gentleman. If you can get back to me 
in 30 days, in writing, I would appreciate it. 

The gentleman from Mississippi. 

Mr. Thompson. Thank you very much, Mr. Chairman. 

Some will argue that the direction of this Department mirrors 
the direction it receives. Part of that direction comes from Con- 
gress. I have shared with you my concern about jurisdiction. But 
since we have four very qualified individuals to talk about the sub- 
ject of jurisdiction and the Department, can you just share individ- 
ually whether or not you believe it is a good thing for Congress to 
vest jurisdiction for DHS within one committee like a number of 
other departments have? 

Agriculture, just to talk a little bit about one, there are some 
small pieces elsewhere. But primarily, jurisdiction is there. I will 
start with you, Mr. Skinner. 

Mr. Skinner. Absolutely. My own experiences when I was the IG 
at DHS, people talk about over 100. I dealt with about 88 commit- 
tees and subcommittees. This is very time-consuming, resource-in- 
tensive. We receive, constantly, mixed messages as to the direction 
the Congress wanted the Department to go. 

It created, in my opinion, a lot of problems. Not only for our of- 
fice, but this is also compounded when you look at it from a De- 
partment-wide perspective. Having to answer to so many different 
committees, so many different directions. The time spent, I think, 
can be better spent in building a better Department. 

But yes, absolutely. I think it would be very worthwhile if we 
could consolidate some of this oversight into one committee. 

Mr. Thompson. Mr. Baker. 

Mr. Baker. I completely agree. It is a sign of lack of seriousness 
that the Congress did not accept even the 9/11 Commission rec- 
ommendations on this regard. It is very disappointing that it has 
continued as long as it has, very strong. 

I do agree. Imagine trying to run a company and you have 88 
outside boards of directors you are held accountable to, none of 
whom agree in the common end-state. Well, everyone agrees that 
we want to make the country more safe, but with changes. 

I think it is debilitating. I don’t think the Department can ma- 
ture when it has so many different approaches in terms of over- 
sight. The big issue, I would also suggest, is to be able to align 
budgets to priorities. You have got to also look at the appropriator- 
authorizer connect, which — I know, I chuckle myself. 

I sometimes say we have three parties in this country — Repub- 
licans, Democrats, and Appropriaters. But at the end of the 
day 

Mr. Thompson. You are correct. 

Mr. Baker [continuing]. That is a big issue. 



42 


Mr. CiLLUFFO. That has certainly been an issue that DHS has — 
been a burden for them from the time the Department has been 
created. But I think as you know that, you know, GAO works for 
the Congress as a whole. Obviously, we are strong advocates of 
very aggressive and hands-on oversight. 

So we don’t take a position on how Congress divides up its juris- 
diction, other than to say that we are there to support making 
those decisions. So if there is any information we can offer to help 
with that, we would be glad to offer that. I will say that this prob- 
lem is not necessarily unique to DHS, but it is probably unusual 
relative to other departments in the Executive branch. 

Mr. Thompson. Thank you. I would like just to go on the record 
in support of what Mr. Baker and the others have said. That the 
9/11 report. Commission report, this is really the only thing that 
is still left outstanding. Is that somehow we all agree that it is out- 
standing, but we can’t agree to do it. 

I think that is a failure on Congress’ part to step up. I will just 
say for the record again, Mr. King — whether you are Chair or I am 
Chair — we need to send that letter again to our leadership, jointly 
signed by us, saying it should be done and already has been made 
part of the record. We agree on it. 

I look forward in January to authoring or coauthoring a letter in- 
dicating a continuing interest on our part for that consolidated ju- 
risdiction. 

I yield back. 

Chairman King. The Ranking Member yields back. 

I recognize the gentleman from Alabama, the subcommittee 
Chairman, Mr. Rogers. 

Mr. Rogers. Thank you, Mr. Chairman. 

It is good to have Mr. Skinner and Mr. Baker back before us, as 
they have been many times in the past. I look forward to hearing 
from our other witnesses. As you all are aware, I chair the TSA 
subcommittee. We have held, as a part of our hearing process, 
three hearings on the procurement acquisition process, which has 
a problem in TSA. But it has a problem Department-wide, as you 
all know. 

GAO just released its most recent report examining this acquisi- 
tion process. One of the most disappointing facts, which we also 
found in our hearings, was that most of DHS’s major programs re- 
ported their planned capabilities changed well into the procure- 
ment process. Which obviously costs money, but not just for the De- 
partment. But it costs money for the private sector. 

When you throw out these requests for proposals without talking 
to anybody first about what is possible, and then when they come 
back and say, “Well, we can’t do that, but here is what we can 
do,” — and they have spent several hundred thousand dollars — ^you 
say, “Well, that is not what we want,” and they pull it back, it is 
completely unfair to the private sector. 

But it also doesn’t help us achieve the goals that we are trying 
to achieve with the Department. I am interested in your thoughts 
on what we can do to remedy that. What is practical? 

Let us start with Mr. Baker. 

Mr. Baker. I will not pretend to be an acquisition expert. But 
my overall view of the acquisition process of the various parts of 



43 


the Department is, this has turned out to be something that only 
a truly mature agency can do well. CBP certainly has problems, 
but has managed its procurements better than most of the compo- 
nents of the Department. 

TSA, as a new agency, doesn’t have the kind of depth of staff and 
experience to do it as well as CBP. 

Mr. Rogers. Right. Well, that is one of the things I have men- 
tioned to them in the hearings, is you are exactly right. A mature 
department does it well. And the best example is DoD. They found 
all the potholes in the road, and they know how to get around 
them. 

I have urged TSA and DHS as a whole to model their process 
after DoD, and they pushed back hard against it. I don’t under- 
stand why. 

Mr. Baker. You know, it is the process, it is certainly true, 
where DoD has been in every pothole that you can find out there. 
Part of it is just personnel. You need personnel who have been 
doing this and made some mistakes, and understand how those 
mistakes are going to play out, and who are not wooed away by 
contractors to get new business in the future. 

I have often thought that we ought to find a way to penalize peo- 
ple who hire our procurement officials in the first 5 years of their 
service. Because part of the problem is having a real depth of staff. 

Mr. Rogers. Anybody else? Mr. Maurer. 

Mr. Maurer. Yes, I think the first thing that DHS needs to do 
is just follow their own policies and procedures on acquisition. One 
of the things we found in the report that was issued yesterday was 
that we actually gave their policies pretty good marks. Their best 
practice, the problem has been they haven’t been consistently fol- 
lowing them. If they followed their own rules they would have bet- 
ter outcome. 

Mr. Rogers. Why do you think that is? 

Mr. Maurer. Well, I think in the early years of the Department, 
and it continues even today, there is an overriding sense of ur- 
gency, which is important. It is part of their mission. But it leads 
to 

Mr. Rogers. Purchasing puffer machines. 

Mr. Maurer. Puffer machines that don’t work. It leads to rush- 
ing to failure. There has been a whole host of those. SBInet and 
ASP and CAARS. There is a whole alphabet soup of failed acquisi- 
tions that DHS has had over the years. This report is the latest 
example of that. 

I know the subcommittee — Mr. McCaul’s subcommittee — tomor- 
row is having a hearing on this to talk more in depth. So I think, 
yes, first-off DHS needs to follow their policies. I think they have 
some real shortages in terms of qualified staff to help oversee and 
review these acquisition programs. 

The third issue they really have to come to terms with is that 
they probably signed themselves up to purchase more acquisition 
programs than they are likely to be able to afford in outyears. I 
mentioned in my statement, there is almost $170 billion in sort-of 
total life-cycle costs. 

That is a rough guess. I mean, they don’t really know what they 
have signed themselves up for. If we are going to continue to face 



44 


tough budget times, they are going to have to make some really 
hard decisions on where they are going to put their resources. 

Mr. Rogers. I agree. One of the things I have pushed them to 
do, though, and it is hard to get them to do, is to start conversing 
with the private sector in advance. To call the private sector in, do 
a notice on FedBizOpps or whatever. Bring them in, and say, “Lis- 
ten, these are the things we are trying to accomplish. What is pos- 
sible?” Get some dialogue going. 

Yes, sir. 

Mr. CiLLUFFO. Mr. Rogers. Beyond simply as it affects TSA, but 
generally speaking, metric performance measures. I don’t mean to 
get too philosophical, but at the end of the day what gets measured 
gets done. But are we measuring what matters? It is that second 
set of questions that I think you can see improvement in the fu- 
ture. 

Wherein the Quadrennial Homeland Security Review aligns with 
a bottom-up review so you can actually — a policy without resources 
is rhetoric. But if you can actually match up the priorities from a 
budgetary standpoint, that is kind of the way the Department of 
Defense does it with the Palm process and with the QDR. 

One thing I might note though, that it took the Goldwater-Nich- 
ols Act to be able to really prioritize those needs that were purple, 
that were across services, that were unique beyond any particular 
military service. The Department doesn’t have a COCOM-like 
structure. Maybe it should. That is a different set of questions. But 
it doesn’t at this point. 

Mr. Rogers. Excellent. Thank you. 

I yield back. 

Chairman King. The gentleman yields back. 

The gentleman from Michigan, Mr. Clarke, is recognized for 5 
minutes. 

Mr. Clarke of Michigan. Thank you, Mr. Chairman. 

Just to all of those who are testifying, my major concern is about 
the security of our power systems, our power grid, or airports, espe- 
cially our municipal drinking water and sewage systems. A cyber 
attack on the industrial control systems that govern these assets 
could have a devastating impact on areas like metropolitan Detroit, 
especially if there was a cyber attack against our municipal drink- 
ing water and sewage system. 

If any of you have some thoughts on the type of policies that we 
could implement here to better protect the American people from 
such a cyber attack, that is information I would like to hear. I do 
have some specific questions. One issue, raised by Mr. Baker, about 
the role that private companies who are victims of a cyber attack 
could play in terms of funding Federal investigations into those at- 
tacks. 

Also, Mr. Cilluffo raised the issue of Iran and Hezbollah. Are 
there any specific instances or concerns that we should have re- 
garding Iran and Hezbollah regarding a cyber attack on our coun- 
try? 

I yield back my time. 

Chairman King. The gentleman 

Mr. Clarke of Michigan. Well, I would like to get a response, 
and then I yield back my time afterwards. 



45 


Mr. Baker. In terms of industrial control systems, you are abso- 
lutely right that practically everything that civilized life in Detroit 
or any other American city depends on is an industrial control sys- 
tem. Those systems, as the Stuxnet attack on Iran’s Natanz enrich- 
ment facility shows, are vulnerable to attacks that can break the 
systems. 

No major city is going to survive in an orderly fashion if it has 
no power and no water and the sewers are not functioning prop- 
erly. You can break all of those things with a properly designed at- 
tack. To prevent that, we need to make sure that our systems, to 
the extent possible, have been pulled off of the internet and that 
there are not internet connections. 

We need to talk to the software manufacturers and hold them to 
high standards in terms of how secure those systems are. They 
have never been secure because they didn’t think they were con- 
nected to the internet. They are now discovering that they are. The 
hardware in those systems is also not secure, and we need a re- 
search agenda that will improve the security of the hardware. 

Finally, in my personal view we are probably putting far too 
much emphasis on smart grid deployments today. We talked ear- 
lier, Mr. Maurer talked, about rushing to failure. Smart grids are 
connecting our power systems, and they offer some real savings. 
But they are connecting our entire power system to the internet in 
ways that we could end up regretting. 

So those are all things that I would suggest we begin imme- 
diately to pursue. I will come back to the private-sector issue if oth- 
ers finish in time. 

Mr. CiLLUFFO. Mr. Clarke, thank you for your question. I mean, 
this is a multifaceted set of issues. Clearly, we have seen attempts, 
and successful hacks, on supervisory data and acquisition systems. 
The underpinnings of our critical infrastructure is not only over- 
seas, but those attempts are spiking domestically, as well. 

So in terms of critical infrastructure, yes. But I think you have 
got a bigger issue. Back to some of the acquisition questions, we 
haven’t baked security into the design of our architectures. That is 
why I think, rightfully so, the House Intelligence Committee is ask- 
ing very tough questions vis-a-vis Huawei, ZTE, and anyone else 
who could potentially have access to our backbone, our very critical 
infrastructures, that are most significant for computer network ex- 
ploit, espionage, or potential attack. 

More needs to be done there. We have got to figure out what are 
the right carrots and what are the right sticks. We have talked a 
lot about the sticks, but I think there are some carrots; tax incen- 
tives, liability protections, if you meet a certain standard in BAR. 
Which I think should be initiated by a third party. I call it a Good 
Housekeeping seal of approval. 

So it is looking at what are the right carrots and sticks. Some 
critical infrastructures are more critical than others. Those that 
really affect our ability and could impede our ability to project 
power, deploy forces and, from a National security standpoint, I 
think take on a different set of issues. 

Very, very, very briefly on Iran. Yes, we have seen a lot of activ- 
ity in this space. I recently testified — I see Mr. Lungren here — ^be- 
fore one of his committee hearings specifically on Iran before all 



46 


these unhelpful leaks in terms of what we have seen on the cyber 
side. They have stood up a cyber army, the Baseez and some of 
their proxies have been involved. There is a cyber Hezbollah that 
is involved in primarily intelligence collection. 

So there is reason to be concerned. There are attacks going on 
as we speak on some of our banking sectors that some people aren’t 
sure where they are necessarily generating from; notably Bank of 
America, Chase, and others. So I think that is an area we need to 
be concerned about. 

But let us not treat all attacks the same. Hacking a website is 
like graffiti in cyberspace. It is bad, but it is not the same as at- 
tacking the very critical infrastructures or damaging the data that 
those systems run. So we have got to take some of those issues into 
consideration. 

Finally, there were attacks this summer on Saudi Aramco and on 
Qatari RasGas. To me, this is where I was talking about what sorts 
of products NPPD and INA could provide to the critical infrastruc- 
ture owners. They should have taken those lessons learned and be 
able to share some of the signature data with our own critical in- 
frastructures. 

I might note that a big thing I have been pushing is the Defense 
Industrial Base pilot, which right now is primarily focused on the 
defense contractors. I really feel that should be expanded to our 
critical infrastructure owners and operators; at least the most crit- 
ical infrastructure owners and operators. 

Mr. Clarke of Michigan. Mr. Chairman, if we do have time I 
would like Mr. Baker — the opportunity to 

Chairman King. Actually, we are running on this. I appreciate 
it, but let me just say I want to thank you for your service on the 
committee, Mr. Clarke. No one knows what the future holds, but 
it has been a privilege having you work with us on the committee. 
Even if you are on that side, and ask some tough questions some- 
times. 

Mr. Clarke of Michigan. It is an honor to serve our country 
here, and it is an honor to serve with you in this panel. Thank you. 

Chairman King. Thank you. 

The gentleman from California, our leader on cybersecurity, Mr. 
Lungren. 

Mr. Lungren. Thank you very much. Thank the panelists. 

I hope I am not contrarian in this. I have been on this committee 
for 8 years now, and been part of the oversight for the Homeland 
Security Department. Frankly, I think they are better now than 
they were back then. I think there has been improvement, there 
has been some maturation. 

I guess the question is: How far along are we in the maturing 
process? When we compare this to DoD, as was mentioned, it took 
a long time for us to have the reorganization of DoD to get where 
we are today. So I, frankly, have seen what I consider to be im- 
provement. 

I believe we are safer today because of DHS, even with all the 
warts and the shortcomings that we have. So I wanted to start 
with that. 

The second thing I wanted to say is fusion centers. We have a 
fusion center in my district, which I have been out to see any num- 



47 


ber of times. I am impressed by the level of cooperation, collabora- 
tion, exchange of information and respect for all the participants — 
local. State, Federal, including DHS. 

Mr. Baker, have you seen that? What I see in the Sacramento 
region, is that the same as you have observed or that you have 
been made aware of around the country? 

Mr. Baker. Yes, there are some very successful fusion centers 
that are doing great work and that have really built deep relation- 
ships between DHS and local and State authorities. I have had 
people say if you have seen one fusion center you have seen one 
fusion center. They are very variable, and not all of them are as 
successful as the one in your district. 

But I think they have turned out to be an enduring institution. 
We may end up seeing consolidation or rationalization of some of 
them as the budget gets tighter. But it seems to me they have been 
a very valuable way for DHS to actually make a difference in local 
policing. 

Mr. Lungren. See, that is one of the concerns we have. When 
we look at budgets, there are those who look at things like that as 
the first thing to go. I don’t think it ought to be the first thing to 
go. I think it ought to be one of the things that we try and make 
even better. Because in the area of terrorism, as in so much other 
things, much of the intelligence is gathered by people who weren’t 
looking for terrorists as their first objective. 

Mr. Baker. Right. 

Mr. Lungren. There are so many more eyes and ears with local 
law enforcement than there are Federal agents. Part of our job is 
to make sure that we give the expertise, share the expertise, on the 
Federal level with those at the local and State level. Then, with the 
analysts — perhaps they are Federal analysts, perhaps they are an- 
alysts that come from other departments — but utilize that, that 
ability. 

I fear that when we run into these tough budget times that is 
the first thing to go because it is not a fancy gadget, it’s not a new 
thing that comes out of S&T, even though I want things to come 
out of S&T. So I am concerned about that. 

In the area of cyber, one of the concerns I have had has been the 
tremendous personnel turnover we have seen within the cybersecu- 
rity mission within the Department. At the same time, I have been 
impressed most recently with an added robustness of that element 
of DHS. In part, because of the infusion of a good number of people 
from the private sector. 

So two questions for you, Mr. Cilluffo, and also Mr. Baker: What 
is the basis of the difficulty for us keeping people in the cybersecu- 
rity arena in DHS, No. 1? No. 2, do you think the failure of the 
Congress to get a statutory authority and an institutionalization of 
the lines of authority within the Executive branch on cybersecurity 
is, in fact, a serious problem? Or is it just something we can take 
care of by way of Executive Order? 

Mr. Cilluffo. 

Mr. Cilluffo. I will start, and I am just going to say one thing 
on fusion centers. Because we have done a number of surveys, the 
first surveys, to try to bring a little bit of science to the art of intel- 
ligence. I agree with your position 100 percent. 



48 


The one thing I would note that they are lacking, and the major- 
ity of them suggested as much, was analytical tradecraft and capa- 
bility, No. 1. Second, their ability to do threat reporting on the 
cyber side is weak, and they need to build that up. 

But to your question on cyber retention, it is a huge issue. Not 
only at the Department of Homeland Security, but across the De- 
partment of Defense and the intelligence community. Because you 
have so many greater opportunities in the private sector. Not only 
financial, but sometimes less bureaucratic. One of the things I 
think we need to start thinking about in terms of authority is our 
active defenses, where you give other entities the ability to respond 
in real time, in certain circumstances, in accordance with our laws. 

So I don’t think an Executive Order — I mean, this is an issue 
that is so important for our country, it is so important for all 
branches of Government to be able to acknowledge and recognize 
that this is a significant set of issues. I don’t think you can just 
pay for it forward by Executive Order. I think it requires a debate, 
it requires a discussion. 

It is extremely important, looking to future, that you — I don’t 
think you can promulgate it through an Executive Order alone. I 
think Congress has not only an opportunity, a responsibility, to ad- 
dress these issues. 

Mr. Baker. On personnel, look, this is a hot field and people who 
do well in it in Government are going to get lots of job offers. We 
do need to face the fact that we will have turnover at some point. 
I will note that NSA, where I have also worked, has addressed that 
issue by and large as a culture where they expect people to come 
in and spend 25 or 30 years doing what NSA does. They get some 
very talented people. 

They lose people, but they have held onto their people better 
than DHS cyber has. My suggestion would be, on this as on many 
other things, DHS needs to be borrowing personnel and capability 
from NSA, bringing them over, making them part of the career pro- 
gression within NSA so that they can get the benefit of the tal- 
ented folks that NSA has. 

On the question of Executive Order versus legislation, legislation 
would be better but I am a realist. I actually think the Homeland 
Security Act gave a lot of authority, at least within the civilian arm 
of the Federal Government, to DHS. What we have seen is, the 
President by and large seems prepared to back that up by saying 
no, I really want you to do what the Homeland Security Act con- 
veyed to you. 

That is progress. So I have supported an Executive Order, I 
think it is a good idea. There are things that can’t be fixed. The 
Rogers bill, CISPA would be a much better solution than any pri- 
vate or Executive Order solution to the information-sharing prob- 
lem. I frankly think, though, we are in for a period of a year or 
more in which nothing is going to happen in Congress so we need 
to be looking at everything that can be done within the Executive. 

I don’t think we have gotten to the end of the things the adminis- 
tration can do to improve cybersecurity. 

Chairman King. The time of the gentleman is expired. 



49 


The gentleman from New York, Mr. Turner. I am sorry, how did 
I forget? Here I am talking away to the temporary Ranking Mem- 
ber, who has ascended very quickly to the throne. 

The gentlelady from California, who has been a very close bipar- 
tisan worker on this committee, Ms. Hahn. 

Ms. Hahn. Thank you. Chairman King. I will start by adding my 
shout-out to my colleague from California, Mr. Lungren, on the ne- 
cessity of our fusion centers. There is one in the Los Angeles re- 
gion, as well, that is very significant. 

I would dare say many of the plots that have been foiled over the 
last years were a result of the information that was cobbled to- 
gether in our fusion center. I think we, as Members of this com- 
mittee, ought to be very clear and very precise in advocating for 
the continence of our fusion centers. 

I have appreciated the gentlemens’ testimony, and your knowl- 
edge about our Department of Homeland Security and the future. 
I have a district that borders the largest port complex in our coun- 
try, Los Angeles and Long Beach. To that end, I have been con- 
cerned about port security. 

In fact, my very first hearing here in the Homeland Security 
Committee was the 9/11 report card. At that time, it had come out 
that probably we were a little lacking. I would like to hear Mr. 
Baker’s grade for port security in this country. 

To that end, I will say thanks to Chairman King, and a real bi- 
partisan support. I was able to pass my first bill this year, on ask- 
ing the Department of Homeland Security to report back to Con- 
gress on assessment of our port security. I would love to hear your 
analysis of how we are doing. 

I tend to think it is still a very vulnerable entryway into our 
country through our Nation’s ports. Specifically, I would like to 
know, generally, how you feel about that. But specifically, speaking 
of managing our resources, I have heard from a number of ports 
across this country that the port security grants, which I am a big 
advocate of 

We have done things in this committee to continue port security 
grants. But some of the deadlines, some of the requirements, some 
of the, you know, burdens that, apparently, we are putting on port 
authorities to actually use these port security grants in an efficient 
way are hindering what I believe ultimately is the securing of our 
Nation’s ports. 

So I would love to hear your assessment specifically of port secu- 
rity, and how we are managing our port security grants. 

Mr. Baker. So I can’t give you much useful information about 
the grant management because I think I am out-of-date on that. I 
did participate heavily in the Port Security Act process and the im- 
plementation of that, and it’s been continued by the next adminis- 
tration. 

On the whole, I would give that effort about a B. I think, given 
the amount of attention that has been put on that and the number 
of authorities — not just GBP, but also Coast Guard, that are avail- 
able — the Department has done a reasonably good job of trying to 
improve port security. You know, obviously it has not been able to 
move inspection for nuclear weapons overseas the way one would 
like, and that isn’t going to happen anytime soon. 



50 


Not because of incompetence on the Department’s part, but be- 
cause, you know, we have to persuade our negotiating partners to 
do that. One of my biggest worries is that if we are looking for nu- 
clear weapons, which is a fundamental part of our port security 
program, that may be smuggled into the United States we have 
pretty good mechanisms — not perfect, but pretty good mecha- 
nisms — for identifying those weapons if they come in in containers 
through the ports. 

We are much less well-protected against the possibility that 
someone will put that into a private jet and just file a plan for 
Teterboro and never get to Teterboro. Just set it off before they 
land it in the United States. We need an approach to nuclear weap- 
on smuggling that looks not just at ports, but at all the ways peo- 
ple might smuggle stuff in. 

The joke is, the best way to get it in is to wrap it in a bale of 
marijuana. We need to be looking at all of those. I think actually 
we have done a better job of securing our ports against that threat 
than most of the other mechanisms by which people would bring 
a nuclear weapon in. 

Ms. Hahn. Any other members of the panel want to speak on 
port security? 

Mr. Maurer. We issued a report specifically on the Port Security 
Grant Program about a year or so ago, and highlighted some of the 
issues you pointed out. Specifically, it takes too long for the money 
to flow out to the actual recipients. I think the good news there, 
in a nutshell, is that FEMA and DHS are taking actions to address 
our recommendations. 

My understanding is, they are starting to make progress on that. 
So that is good news. The second point, real quickly, is, one of my 
colleagues from GAO, Steve Caldwell, recently testified on the over- 
all state of port security. I think we would agree with Mr. Baker’s 
assessment. Generally speaking, that has been one of the relative 
areas of success for DHS over the course of the last 10 years. 

Ms. Hahn. Thank you. 

Mr. CiLLUFFO. A very general point. Smuggling is smuggling is 
smuggling is smuggling, whether it is drugs, weapons, people, or 
whatever illicit or even licit goods in tough areas. So one area 
where I think beyond just ports that we need to be doing more is 
we are seeing hybrid threats. Is it terrorism, is it crime, is it this, 
is it that? 

At the end of the day, I think there is some real opportunity be- 
tween the counternarcotics community and the counterterrorism 
community to further cooperate on some of these issues. Because 
again, the routes are going to be the same. The TTP, the terror tac- 
tics, might be the same. So how do we start bringing those worlds 
together? 

Ms. Hahn. Thank you. 

I yield back. 

Chairman King. The time of the gentlelady has expired. 

Now the gentleman from New York. Mr. Turner. 

Mr. Turner. Thank you, Mr. Chairman. 

One of the most important elements here in counterterrorism is 
intelligence. If you could give us a minute, maybe, on what you 
think can be done and improved for intelligence sharing. I am par- 



51 


ticularly taking this from a view as a New York representative, 
which comes both ways. 

The NYPD, as you may know, has its own intelligence operation. 
If you have a thought on the efficacy of that, and what are the 
things that could be improved upon in the next year or two. If you 
would be kind enough to begin. Honorable Skinner? 

Mr. Skinner. I would be happy to. That is one of the things. I 
think the biggest concerns I had dealt with the integration of our 
IT systems and creating a capability to communicate on a real-time 
basis. The Department, within itself, has problems just commu- 
nicating across the various component lines. 

One of the biggest challenges — and I believe I alluded to this ear- 
lier — is our ability to then communicate on a real-time basis with 
our Federal partners and, particularly, with our State and local 
partners. The fusion centers, I think, is a good step forward to im- 
proving that communication capability. But I still think we have 
problems with getting access on a real-time basis, giving people the 
clearances so that they can communicate on a real-time basis, and 
developing a trust. 

Fusion centers, I think some operate very well. But again, we 
talk about do we need as many as we have? Probably not. Can we 
do a better job in consolidating those fusion centers and building 
on a cadre where they are most needed on a risk basis would be, 
I think, a step forward. But building an IT capability to allow us 
to communicate, I think, is one step that we need to continue to 
work on. 

Mr. Turner. How far away are we from that ideal? 

Mr. Skinner. Quite frankly, I think we are very far away. 

Mr. Turner. Thank you. 

Mr. Baker. You know, the New York police department is one 
of the crown jewels of our counterterrorism effort, and the only 
non-Federal agency that really provides an alternative model for 
how you respond to terrorism effectively. I was disappointed to see 
the Associated Press and a few other folks kind of sniping at NYPD 
and inviting Federal oversight as a way of kind of making them 
less effective. 

We should have more local law enforcement agencies that were 
learning from NYPD, that were willing to talk directly to the U.S. 
intelligence agencies. So I would say they should be a model, rather 
than somebody subjected to criticism. 

On information sharing, let me just highlight an area of informa- 
tion sharing that I think is far worse than the relationship with 
State and locals. It is information sharing on cyber intrusions 
where, in fact, law enforcement agencies know an enormous 
amount about who is doing them, what tactics they are using, why 
they are targeting people, and who they are targeting. 

The targets are in the private sector. The sharing with the pri- 
vate sector at that level of detail, in my view, is nowhere near as 
good as it with State and locals on the counterterrorism mission. 

Mr. CiLLUFFO. I think Stewart and I are hanging out too much. 
NYPD is clearly the gold standard in this business. I might note, 
though, Ms. Hahn and others that if New York police department 
is the gold standard, LAPD is the silver standard. 



52 


But once you get outside of New York, Los Angeles, Texas and 
some of these other areas, Arizona, you really have a mixed bag. 
At the end of the day, that is why I think we really do need to in- 
vest in the fusion centers. It could probably afford some culling to 
be able to build on the best. 

The last thing I want is the successful initiatives to be thrown 
out — the baby thrown out with the bath water — if we see the need 
to cut, and we are not going to cut the right ones. In essence, you 
are going to have entities that perhaps ought to be put on life sup- 
port, and you have got the gems that are going to be stymied. 

New York has its own intelligence capabilities. They have an 
overseas presence. Very few police departments have an overseas 
presence. So I don’t think it is even constructive to compare that — 
maybe LAPD — with the rest of the country. But as much as can 
lean forward, enable and support, it has been a target multiple 
times. 

Unfortunately, it is a target almost every day; much of which we 
don’t read about. So I support that 110 percent. One thing on the 
intelligence picture writ large. I would argue that we need a true 
domestic intelligence estimate. We don’t have regional threat as- 
sessments domestically for the Jihadi threat, for Islamist threats. 
The United Kingdom, for example, does. 

I am not suggesting we need a security service or an MIS in the 
United States. Actually, quite the opposite. Push the capabilities to 
our State and local authorities. One area where we are the best in 
the world, hands down, are JTTFs. But that is only when an inves- 
tigation is open. 

Once we get the blip on the radar screen we are the best, period. 
But what about in that steady state, to be able to see what that 
threat environment looks like for the unknown unknowns. That, I 
think, we still have a lot of work to do. As much as we can invest 
in our State and local authorities, we ought to. 

Mr. Maurer. Very quickly, I think you should know information 
sharing is one of GAO’s high-risk areas. So clearly there is a lot 
of work that still needs to be done there. We want to see closer col- 
laboration among all the Federal partners and a greater ability to 
work with State and locals, as well. 

Chairman King. The time of the gentleman has expired. 

Again, Mr. Turner will be leaving the committee at the end of 
the day. I want to thank him for his service. He does an out- 
standing job, and I want to thank him for his dedication to the 
committee and to the people of New York overall. 

Also, let me associate myself with the remarks of Mr. Baker and 
Mr. Cilluffo on the NYPD. I just hope that the Associated Press and 
New York Times were listening. 

With that, I recognize the gentlelady lady from Texas, Ms. Jack- 
son Lee, for 5 minutes. 

Ms. Jackson Lee. Let me also thank my colleague for his serv- 
ice, as well. I think, as the Ranking Member and the Chairman 
mentioned at the beginning of this hearing, we are committed in 
a bipartisan way to the security of this homeland — and, I would 
like to put on the record — for the greatest country in the world. I 
heard someone define us as the greatest democracy in the world. 
I am going to redefine us as the greatest country in the world. 



53 


So I am very grateful for our commitment. I also want to asso- 
ciate myself with the comments “mayhe one day.” I am going to ask 
for just a yes or no answer. That the streamlining of jurisdiction 
oversight of homeland security is imperative for a consistent and 
efficient and effective securing of the homeland. 

Mr. Skinner, do you agree? 

Mr. Skinner. Yes. 

Ms. Jackson Lee. Mr. Baker. 

Mr. Baker. Amen. 

Ms. Jackson Lee. Mr. Cilluffo. Do I get it right? 

Mr. CiLLUEFO. Yes. 

Ms. Jackson Lee. GAO in particular, Mr. Maurer? 

Mr. Maurer. You know, we got to he agnostic on that one be- 
cause we serve the whole Congress. I don’t say that to dodge the 
question, but because I know this has been an issue that has been 
debated among the Members across the various 

Ms. Jackson Lee. We will give you a pass. 

Mr. Maurer. Okay. 

Ms. Jackson Lee. Let me also indicate that I look forward, if we 
all return by way of election, to really look at this regional security 
threat concept. I think that is a very important new note to hear. 

I am going to try and ask a number of fast-moving questions, 
and try to get through all of you. May not, but let me start with 
Mr. Maurer. I hope you can comment that investing resources, or 
the utilization of resources funding, is crucial to some of the assess- 
ments that you have made. 

Do we need to continue the right and reasonable and effective 
and continued funding for Homeland Security? 

Mr. Maurer. Absolutely. You are going to need resources to 
achieve many of the things the Department wants to do. They are 
making 

Ms. Jackson Lee. That are still not done. 

Mr. Maurer. That are still not 

Ms. Jackson Lee. And are crucial to securing the Nation. 

Mr. Maurer. Absolutely. They have made good progress so far 
to date. One of the biggest criticisms we have had of their plans 
to date, frankly, is the fact that they have resource limitations in 
executing those plans. Now some of that rests in the Department, 
quite frankly, and setting priorities on where they are going to 
spend the money that Congress appropriates to them. 

Ms. Jackson Lee. The border, which is something that I have 
been particularly attentive to because I come from the State of 
Texas. Have we made improvements since, for example, 2005? I 
particularly remember enhancing the Border Patrol agent census, 
or population; adding more, and giving them enhanced equipment. 
Has that made a difference? 

Mr. Maurer. Yes, it has. There are certainly many more Border 
Patrol agents on the Southwest Border as well as the Northern 
Border. DHS continues to invest in enhancing the training that 
they receive, as well as the acquisition tools and the systems that 
they use in the course of their job. 

We still have a number of concerns about the technology en- 
hancements DHS plans to make on the Southwest Border. The col- 
lapse of SBInet was a major failure for the Department, and we are 



54 


watching what they are doing on that front very carefully right 
now. 

Ms. Jackson Lee. I think we would he very eager to know that 
even though we have the rise of drug cartels, gun trafficking, which 
we just heard the IG’s report that I think I can put on the record. 
That the attorney general had no knowledge of the gun trafficking 
and the Fast and Furious issue. 

But we do know that there are elements that were not effective. 
But with all of that, getting those other agencies to collaborate, we 
can see in the future a secure border or a securer border? 

Mr. Maurer. It definitely depends on the execution among the 
various departments and agencies. That is certainly our hope, and 
we will be there to provide oversight to help assist the Congress 
in its own deliberation. 

Ms. Jackson Lee. All right. Gentlemen, I am going to give three 
questions and I would like you to answer. I see my time is — and 
I ask the Chairman for an indulgence. They could pick the ones 
that they would like. 

I do want to indicate that I would like to see the CERTl program 
improved — I don’t think the outreach goes to minority communities 
sufficiently — and that is the response program during disasters. I 
think the procurement is way in need of repair in terms of out- 
reach to small businesses. 

But these are the questions I would like. We have seen a rash 
of attacks or threats to universities, bomb threats. I believe we 
need an ombudsman or a focus inside Homeland Security that is 
an immediate response team to our universities. Some of these, ob- 
viously, are prank calls. Or at least they have been determined as 
that. 

But with the rash of incidences that have occurred, I would ap- 
preciate your comment. I would appreciate your comment on the 
importance of reaching out to Muslim-Americans and retaining and 
hiring them in the security process. I would appreciate your com- 
ment on the importance of homeland security and civil liberties. 

Anyone want to start first? 

Chairman King. I would ask the gentlemen if they would try to, 
you know, give brief answers. Try to keep it in the next 2 or 3 min- 
utes. 

Ms. Jackson Lee. Mr. Chairman, I thank you. 

Mr. Baker, you are up. 

Mr. Baker. Okay. So I would say ombudsman to universities, or 
at least a place to call after you get a call you can’t tell is crank 
or not, absolutely it is a great idea. It should be part of information 
sharing. Outreach to Muslims has been going on, should continue 
to go on and I think, on the whole, has been successful for the De- 
partment and the U.S. Government generally. 

On civil liberties and privacy, frankly if there were a job I want- 
ed in Government it would be chief privacy skeptic. I think the pri- 
vacy groups have not, on the whole, treated DHS well or its pro- 
grams. We probably should be more skeptical about privacy claims 
than we are. 

Ms. Jackson Lee. All right. Well, Mr. Skinner. 

Mr. Skinner. I have nothing to add to what Mr. Baker just said. 
Very well put. 



55 


Mr. CiLLUFFO. Just that I agree on the university side we need 
a hellyhutton. I am not sure exactly how that looks like, but I am 
standing where I sit. I am at George Washington University now. 

Second, in terms of civil liberties, I don’t think the debate has 
been cast as an either/or proposition. I don’t think that is healthy. 
You can, and must, have both. When you start looking in the cyber 
domain in particular, there are going to be a lot of questions. 

But I agree with Stewart. Many of them are red herrings. A lot 
of them are not necessarily — that is not to suggest we don’t take 
it seriously. We do. But I think most of the people, having been on 
the inside you hear more from your lawyers than you hear from the 
ops guys in terms of what it is you can and cannot do. 

That creates, to some extent, a chilling effect. Which is why, 
again. Congress, I think, has an opportunity and a responsibility 
to address some of these issues and move some legislation. 

Ms. Jackson Lee. You should not take privacy lightly, however. 

Mr. CiLLUFFO. Absolutely not. It is you build too many walls, the 
bad guys win by default because our way of life has been lost. That 
is what we are, is a federalist democracy, of course. 

Ms. Jackson Lee. Mr. Maurer. 

Mr. Maurer. You definitely want to consider civil liberties as 
part of the overall approach to cybersecurity. Absolutely in agree- 
ment on that. Outreach to the Muslim community is absolutely 
vital. I agree with that, as well. I think it is an interesting concept 
you talk about for an ombudsman, and certainly worth looking 
into. 

Ms. Jackson Lee. Thank you very much. Mr. Chairman, thank 
you. 

I yield back. 

Chairman King. The time of the gentlelady has expired. 

The gentleman from Texas, chairman of the Oversight Sub- 
committee, Mr. McCaul. 

Mr. McCaul. I thank the Chairman. 

I want to follow up on something Mr. Lungren talked about. That 
is, you know I think one of the greatest disappointments I think 
I, and this committee I think, share in is that the Congress did not 
pass cybersecurity legislation, which is so important. Every day 
that goes by without those authorities, more Americans are at risk. 

So I hope that if we can’t get it done in this Congress we can 
certainly get it done next Congress. A very small point, and I want 
to go on to two other points. 

But, Mr. Baker, you mentioned an interesting idea. I think part 
of the problem is the perception that DHS just doesn’t have the ca- 
pability that NSA has. That probably is reality, too. So to put that 
faith and trust in DHS because I personally think, and I think Mr. 
Lungren and the Chairman agree, that a civilian authority is the 
more appropriate in a domestic sense rather than a military. 

Now, NSA can work with DHS and that is what you want. But 
how do you get NSA, you know, capability or NSA employees to 
come to DHS? 

Mr. Baker. So, in fact, some of that is happening. You know, I 
am an alumnus of both organizations, and may be the only one 
who has had a political appointment in both. But I don’t think that 
you can bring staff over from NSA, detail them in. They are oper- 



56 


ating under DHS authorities and constraints, but they are bringing 
a raft of technical capability that otherwise it would be very hard 
for the Department to hire. 

What we need is enough technically competent people at the De- 
partment so they feel that they can take advice from NSA employ- 
ees without fearing that they are getting a whole bunch of policy 
advice they don’t see buried in the technical 

Mr. McCaul. I like the detail approach. Because I think, again, 
they kind of have to earn the respect of the Congress for the Con- 
gress to give them those authorities. I think there is an issue with 
that. I personally think it should be more under civilian control. 

So, quickly, to move on, I am chairing a hearing tomorrow — I 
think, Mr. Maurer, you are going to be there — on acquisition, pro- 
curement. You know, we still see all the silos that Mr. Skinner 
talked about. Yet, you know, it is still a very solid F in terms of 
the acquisitions. So we don’t see — there were these recommenda- 
tions that were made, you know, several years ago. 

But they don’t seem to be followed. So you got a procurement 
process that has become very wasteful in its management. I mean, 
so overall how do you integrate this management together? But 
then how do you fix the procurement process? If you could answer 
it in a fairly short manner I would appreciate that. 

Mr. Maurer. Sure, absolutely. First off, I want to give good cred- 
it to my colleague, John Hutton. He will be the GAO witness to- 
morrow at your hearing. So he is taking the lead on this issue at 
GAO. 

But how to address the problem? First and foremost, DHS needs 
to follow its own rules. They haven’t been doing that, that has been 
at the root of the problem. Second, they do need to do a better job 
of managing the overall portfolio, and start making the hard deci- 
sions and figuring out what they can actually afford out in the fu- 
ture. 

But a third issue, they need to do a better job of coming up with 
life-cycle cost estimates. That sounds wonky and down in the 
weeds, but what it basically means is figuring out the price tag. 
What is it going to cost to procure these different systems, and over 
how many years is that going to take? Until they come to grips 
with all three of these issues they are going to continue to have 
problems. 

Mr. McCaul. Okay. A final a point is, Mr. Cilluffo, you talked 
about regional threats. I think that is a very smart approach. I led 
a delegation down to Latin America, and we went to, you know, the 
tri-border area, a Jewish community center in Buenos Aires. As 
you know, the Saudi ambassador applied the Quds forces. They 
were going to hit the embassies — and Israel, Saudi, and Argentina. 

So we look a lot at the Middle East, but there is a lot going on 
right here, too. My kind of nightmare scenario is a strike from 
Israel, against Iran. With everything that is happening right now 
already, with these embassies already being targeted, you throw 
that cocktail on top of everything and it is a Molotov cocktail. 

I can see, you know, there will be ramifications to that. There 
will be a response. I can see the Hezbollah operatives not only 
there but in this hemisphere which we know are here. I can see 
them lining up. 



57 


So is DHS prepared? Do you think they are even looking at this 
issue and planning to defend? 

Mr. CiLLUFFO. Mr. McCaul, you raise a number of very impor- 
tant points. I think as much as you can raise awareness in terms 
of the challenges you saw in the tri-border area would be helpful 
to the American people. Because we do have problems on our 
hands. 

It is not just in the tri-border area. Hezbollah has got a presence 
in the United States. In fact, the Los Angeles police department 
elevated the government of Iran and its proxies, notably Hezbollah, 
as a Tier I threat; highest threat level. NYPD has been leaning for- 
ward in terms of addressing some of these challenges. 

So I don’t think it is only in response to some actions that Israel 
or others may take. I think that you are seeing an uptick in activ- 
ity that, even short of that, warrants greater concern from the U.S. 
National security. 

Mr. McCaul. Then, in closing, I hope the Department is focused 
on this very aggressively in terms of defending the Nation rather 
than responding, or reacting to, a crisis. 

Mr. CiLLUFFO. I can tell you some are. I am not sure that is per- 
colating throughout the entire Department. But I have worked 
with some folks who are recognizing that as a challenge. 

Mr. McCaul. I thank the Chairman. 

Chairman King. The gentleman yields back. 

I would just point out, as Mr. McCaul knows, and he was part 
of the hearing, we held a hearing — at least one hearing, full com- 
mittee also, I think, some subcommittee involvement — on the whole 
issue of Hezbollah in this country. My impression was the same as 
yours. It is a serious threat not being taken seriously enough by 
everyone. By some, but not by all. 

With that, the gentlelady from California, Ms. Richardson, is rec- 
ognized for 5 minutes. 

Ms. Richardson. Yes, thank you, Mr. Chairman. 

I just have two questions for Mr. Skinner. One, in fiscal year 
2011 the Department entered into over 133,000 procurement trans- 
actions and over 81,000 thus far in 2012. I am concerned about the 
oversight of these transactions. On your watch, during the Depart- 
ment, we have obviously heard, and learned of, various problems 
of the procurement process, including contracts with SBInet, Deep- 
water, and Federal Protective Service contracts and Guard con- 
tracts. 

Yet the Department’s management budget appears to leave little 
room for improved oversight during the procurement process. How 
can you improve upon your contract oversight? 

Mr. Skinner. It is, I think, very basic. That is, increased staffing. 
Because I think the acquisition management function within the 
Department when it stood up, and even today, as much as they are 
trying to build a capability is still grossly understaffed. I think as 
part of the procurement process, when you develop your strategic 
plans, your operational plans, as to what you are going to be buy- 
ing in the outyears and in the current years, that we need to budg- 
et in, or factor in, the cost of the total procurement. 



58 


Just not the cost that we pay the contractor, but the cost to pro- 
vide oversight of those contracts. It is all part of the contract ad- 
ministration process. 

Ms. Richardson. Has that 

Mr. Skinner. I do not think that is being done right now. 

Ms. Richardson. Is there anything you need us to do to be able 
to assist you to have that happen? 

Mr. Skinner. The authorities are there, the guidelines are there, 
the policies are there. They just simply need to be implemented. I 
think with additional staffing, we could do a better job of managing 
the contracts as opposed to just simply awarding and then reacting 
to problems. 

Ms. Richardson. Okay. So, Mr. Chairman, if you would be will- 
ing maybe the committee would want to consider requesting of the 
Secretary that as contracts are distributed that, as Mr. Skinner 
has suggested, that the oversight be included in the overall cost 
that is being considered. 

Then that way, they might be able to have adequate staffing to 
take control of the taxpayers’ money, which I know you and all of 
us here are very concerned about. 

Chairman King. We will certainly consider that, and I will work 
with you and your office to try to bring that about. 

Ms. Richardson. Thank you, Mr. Chairman. 

The second question is: Mr. Skinner, on a scale of 1 to 10, how 
would you rate the Department of Homeland Security on its cyber- 
security efforts? Meaning, where are there improvements most 
needed from the Department’s perspective, and what legislation 
could we do to help you to better achieve those results? 

Mr. Skinner. First, let me say I am probably the least qualified 
person to ask that question on this panel. But based on my obser- 
vations when I was serving with the Department, they are making 
modest progress through their hiring efforts, their attention to the 
cybersecurity issues. But on a scale of 1 to 10, I would have to give 
them something around a 4. 

We have a long, long way to go. I think one of the primary 
things, and it has been repeated several times this morning, is that 
we definitely could use legislation to help guide the Department. 

Ms. Richardson. Okay. Would anyone else like to give a very 
brief response that wanted to chime in? 

Mr. CiLLUEFO. Just to piggyback Mr. Skinner’s comments. Gen- 
eral Alexander, when asked very specifically where the U.S. readi- 
ness was on a scale from 1 to 10, said a 3. So it is pretty much 
in line with some of that thinking. He is the commander of Cyber 
Command, and director of the National Security Agency. 

I do feel this is a big area that the United States — we are not 
any further along than our homeland community was shortly after 
9/11. 

Ms. Richardson. Wow. 

Mr. CiLLUEFO. The difference is, is we know the risks. So I think 
we have got a responsibility to move. 

Mr. Baker. I can just add, if the people who are attacking us for 
getting grades from their governments they would get at least a 6. 
So we are losing ground to the attackers. 



59 


Ms. Richardson. Mr. Chairman, I know that when appropria- 
tions come forward in the House, typically where we look to add 
more programs. Members of Congress will typically take money out 
of the management and oversight or salary bucket of a particular 
department. Take money from there and, you know, fund for an- 
other program. 

I would be more than willing to join you of us educating our col- 
leagues that in this particular area of cybersecurity — we can’t 
speak to every area — ^but the impacts of these cuts to the staffing 
in particular is really hindering the ability to move forward. If you 
would like to join me, or suggestions on how we might do that, I 
would welcome that. 

Thank you, sir. 

Chairman King. Be delighted to work with you. The time of the 
gentlelady has expired. 

Before I go on to Mr. Marino, I just want to acknowledge, in the 
audience, Robert Matticola, who is homeland security director for 
the New York waterway ferry in New York, and he has held that 
position since July 2008. It is obviously a job that is in the line of 
fire, and I want to commend you for your service. 

Now the gentleman from Pennsylvania, former United States at- 
torney, Mr. Marino is recognized for 5 minutes. 

Mr. Marino. Thank you, Mr. Chairman. I apologize for being 
late. I am trying to get to all of my committee hearings today. 

Gentlemen, it is a pleasure. As my distinguished Chairman stat- 
ed, I have been in law enforcement and I have been there for 19 
years. So I know what our men and women go through. I have been 
out there on the front line with them, I have their backs. I have 
worked closely with all the agencies throughout my career. 

You know, it is easy for us and anyone else to Monday-morning- 
quarterback our men and women and our agents on the line and 
in the field. Just unfortunate that much of the information and 
much of our operations — and I still say “our” because I still feel I 
am part of law enforcement, I will always be — has to be kept close 
to the chest because we don’t want the enemy knowing what is 
going on out there. 

But each one of you can respond to my question, if you would 
like to. Are our agents, are our people in the field, fully equipped 
with what they need to do what we expect them to do? Equipment, 
training, et cetera? 

Mr. Skinner, would you like to start? 

Mr. Skinner. I believe because of the rapid buildup within our 
law enforcement community, particularly with CBP and ICE over 
the past 5 to 6 years, that we are still behind the curve as far as 
providing the types of training and the degree of training that they 
need. 

As far as equipping them, I also believe that our infrastructure 
is trailing our hiring. We are hiring faster than we can build an 
infrastructure to support them. Third, as far as supervision and 
management, as we hire so many people so rapidly that brought 
some of our more experienced — or what we have done is, in es- 
sence, taken very inexperienced individuals and put them in super- 
visory and management roles. 



60 


That was the only alternative they had at that time. That does 
not mean to be a criticism. But all in all, I think we still have to 
catch up to the hiring. 

Mr. Baker. I don’t have anything to add to that. 

Mr. CiLLUFFO. I would just underscore field bias, field bias, field 
bias. As much as we can lean forward, if you look at the military 
community, the intelligence community, and other communities 
that have gone through similar issues commanders intent; push the 
capability down to the pointy end of the spear. 

In this case, I think the big potential gap is, we need to enhance 
our analytical capacity so State and local can — so they are not 
going in with — not blind, but with less vision, given the fog of cri- 
ses and situations. So push to State and local. That is my one 
takeaway. DHS’s role in that is significant and important, but it 
is really about looking at State and local authorities as their force 
multipliers. They are our boots. 

Mr. Maurer. I think DHS definitely deserves some credit, par- 
ticularly in the last couple of years, in coming to grips with its 
management problems. It gets right to your question. They are try- 
ing to do a better job with procurements, they are trying to do a 
better job with training, they are trying to do a better job with all 
the different entities working as one unified whole within DHS as 
well as their interagency partners. 

They are definitely not where they want to be or where they 
need to be, and they fully recognize that. But I am just encouraged 
by the fact they are paying more attention to sort of these basic 
fundamental resource and management issues. 

Mr. Marino. I understand that, being in the field, there are 
many agencies and many different types of work that has to be 
done. But can you give me a ball-park figure? We talked about 
training — and behind the curve on that — to adequately train our 
people on the front lines. Whether it is ICE, you know, whether it 
is DEA or whoever is — and Homeland Security protecting our bor- 
ders, or even overseas. 

How much time are we talking about for training? 

Mr. Maurer. I don’t know if you can put an exact time frame 
or dollar figure on it because training is an on-going thing. I mean, 
it is not only bringing in new Border Patrol agents. It is continuing 
to offer training throughout that person’s career. 

Mr. Marino. But I mean, you know, bringing someone in ini- 
tially. I know training is on-going, and should be. But let me put 
it this way. I don’t think there is any agency with whom I have 
worked where it is a 6-week training course and you are ready to 
rock and roll. 

Is that a correct statement? A significant amount of time is re- 
quired? 

Mr. Skinner. Absolutely yes, there is significant time required. 
I almost equate it to like a boot camp. Because when you bring 
someone in, you are giving them basic training. But as you 
progress, you are going to have to receive additional training. That 
training has to be kept up-to-date. 

It is just not a one-shot deal. It is constant. 

Mr. Marino. Totally agree. 



61 


Mr. Skinner. So there is a lot — the more investment we make 
in our training, the better performance we are going to get from 
our employees. 

Mr. Marino. Thank you, gentlemen. 

I yield back. 

Chairman King. The gentleman yields back. 

I want to thank all the witnesses for their testimony today. I 
think this is one of the most thoughtful and substantive hearings 
we have had. Your testimony was really invaluable. I think as 
Members of the committee, we often tend to focus on issues that 
are particularly important to us, a component to the Department 
that are important to us, or parts of the Department where par- 
ticular errors have been made. 

I think you were able to bring it together today and really show 
us the Department as a whole, its weaknesses and its strengths. 
As Mr. Lungren said, I think significant progress has been made. 
It is important to keep that in mind. But at the same time, we 
have to, you know, continue to make more progress. Especially ad- 
dress some of the more significant deficiencies. 

But at the same time, I think it is important that we let the pub- 
lic know, really, the overall job that DHS is doing. Because too 
often, when it comes time for budget cuts or whatever, people look 
upon DHS as not really contributing that much. The fact is, despite 
its persistence, al-Qaeda has not been able to perpetrate an attack 
on the scale of 9/11 in the past 11 years. The DHS has been a vital 
component of that. 

So with that, I want to thank you for your testimony. I would 
also want to thank the Members of the committee who were here 
today. Some Members may have additional questions for the wit- 
nesses, and we would ask you to respond to those in writing. The 
hearing record will be held open for 10 days. 

Without objection from the distinguished acting Ranking Mem- 
ber — 

Ms. Hahn. No objection. 

Chairman King [continuing]. The committee stands adjourned. 

[Whereupon, at 12:03 p.m., the committee was adjourned.] 




APPENDIX 


Questions From Chairman Peter T. King for Richard L. Skinner 

Question 1. Will you please share your views on the importance of the completion 
of the St.Elizabeths project to the Department’s efforts to consolidate operations and 
its potential impact on the Department’s performance? 

Answer. In my opinion, the inability of the Department to complete the St. Eliza- 
beths project as originally planned should have little, if any, impact on the Depart- 
ment’s efforts to consolidate operations and, most certainly, should not adversely im- 
pact its performance. Consolidating the Department’s components “under one roof’ 
so to speak is an issue of convenience, not one of performance, particularly in to- 
day’s IT environment of borderless networks, where any employee should be able 
to connect with anyone or any information from anywhere, using any device. Hous- 
ing “people” in one location may make it convenient for officials to conduct face-to- 
face meetings, but it will not address the real challenges facing the Department, 
and that is consolidating and integrating management support systems and oper- 
ations. Consolidating operations and improving performance are “management” 
issues, not “logistical or housing” issues. 

Question 2a. How would you compare the creation and maturation of the Depart- 
ment of Homeland Security to date to that experienced by the Department of De- 
fense in the decade after its establishment? 

Do you believe that now, almost 10 years after its creation, the Department 
should have matured more quickly and its components should be operating more ef- 
fectively and efficiently? 

Answer. While the creation of the Department of Homeland Security may be the 
largest Government reorganization since the creation of the Department of Defense, 
it pales in comparison to the enormity of the challenges faced by DoD upon its cre- 
ation. Accordingly, in my opinion, the Department of Homeland Security has, and 
should have, matured more rapidly to date than the Department of Defense in the 
decade after its establishment. 

I believe that now, almost 10 years after its creation, the Department should have 
matured more quickly and its components should be operating more effectively and 
efficiently. During its first 3 years of existence, neither the Congress nor the admin- 
istration gave the Department the resources needed to properly support the pro- 
grams and operations inherited from its legacy agencies. In particular, its manage- 
ment support functions were shortchanged, i.e., the financial, information tech- 
nology, acquisition, human resources, and grants management functions. During the 
second 3 years of its existence, both the Congress and the administration increased 
the Department’s funding for its management support functions, but, while making 
modest improvements, it fell far short of its goal to establish a cohesive, efficient, 
and effective organization. For example, the Department is still unable to obtain a 
clean opinion on its financial statements and internal controls; its components are 
still struggling to upgrade or transition their respective IT infrastructures; resources 
needed to implement acquisition policies are still lacking; and, it is impossible to 
determine whether the Department’s grant programs are actually improving our 
Nation’s homeland security posture. During the past 3 years, budget constraints 
have impeded the Department’s ability to make any significant headway and build 
on the modest improvements made since its creation. The Department’s new chal- 
lenge will be to sustain the progress already made and at the same time continue 
to make necessary improvements. 

Question 2b. How much longer is the argument that bringing together so many 
Federal agencies a legitimate explanation for the Department’s shortcomongs? 

Answer. Bringing together so many Federal agencies should no longer be a legiti- 
mate explanation for the Department’s shortcomings. The Department had many 
opportunities to address its management challenges, but, for a myriad of reasons, 
it failed to do so. Although some were out of its control, many opportunities were 

( 63 ) 



64 


lost due to poor management decisions or just plain indecision. Unless the Depart- 
ment stays focused on its shortcomings, it will be harder than ever to find solutions 
to stren^hen critical management support functions and, ultimately, to ensure the 
success of its homeland security mission. 

Questions From Chairman Peter T. King for Stewart A. Baker 

Question 1. Will you please share your views on the importance of the completion 
of the St. Elizabeths project to the Department’s efforts to consolidate operations 
and its potential impact on the Department’s performance? 

Answer. As noted in my testimony before the committee, one of the greatest chal- 
lenges facing the Department of Homeland Security going forward will be devel- 
oping a framework to enable proper coordination among all of the Departments big 
and proud components. Department leadership has done a good job at bringing the 
various components together to respond to major crises, but coordination on day-to- 
day issues is very much lacking. The St. Elizabeths Campus project, by bringing to- 
gether the leaders of all of DHS’s components under one roof, is critical to address- 
ing this larger Departmental challenge. Placing component and Departmental lead- 
ership in the same office space will, I believe, go far in building a unified organiza- 
tional culture and providing daily opportunities for DHS components to work to- 
gether cooperatively. 

Question 2a. How would you compare the creation and maturation of the Depart- 
ment of Homeland Security to date to that experienced by the Department of De- 
fense in the decade after its establishment? 

Do you believe that now, almost 10 years after its creation, the Department 
should have matured more quickly and its components should be operating more ef- 
fectively and efficiently? 

Answer. The Department of Defense’s history illustrates just how difficult inte- 
grating all of the components at DHS will be. When DoD was formed in the late 
1940s out of the Department of War and the Department of Navy, both of which 
had been established in the 1700s, DoD at least had the advantage of an existing 
unified office space and the recent experience of coordinating operations during 
World War II. All the same, it took years for DoD’s leadership to establish its au- 
thority within the entire Department. As late as the Cuban Missile Crisis in 1962, 
Secretary McNamara’s authority over the Navy was still in doubt. When the Sec- 
retary asked Admiral Anderson: 

“what would happen if a Soviet ship refused to stop or resisted boarding. Anderson 
answered angrily, ‘This is none of your goddamn business. We’ve been doing this 
since the days of John Paul Jones, and if you’ll go back to your quarters, Mr. Sec- 
retary, we’ll handle this.’” — Dobbs, One Minute to Midnight: Kennedy, Khrushchev, 
and Castro on the Brink of Nuclear War (2008). 

I’m quite confident that today, just 10 years into the Department, no DHS compo- 
nent head would dare to say that to the Secretary of Homeland Security, even 
though several of the components have been carrying out their missions as long as 
the Navy. 

Question 2b. How much longer is the argument that bringing together so many 
Federal agencies a legitimate explanation for the Department’s shortcomings? 

Answer. The understandable challenges of post-merger integration at DHS, how- 
ever, do not excuse component or Departmental leadership from fulfilling their mis- 
sions. Responsibility for building the Department’s capacity and accomplishing its 
objectives still has to lie with individual components or offices at DHS. To the extent 
that individual parts of DHS are underperforming, they should be held individually 
accountable for making the necessary programmatic and staffing changes to turn 
the Department around. 

Questions From Chairman Peter T. King for Frank J. Cilluffo 

Question 1. Will you please share your views on the importance of the completion 
of the St. Elizabeths project to the Department’s efforts to consolidate operations 
and its potential impact on the Department’s performance? 

Answer. While I am not fully up to speed on all of the developments surrounding 
the St. Elizabeths project, I am of the view that consolidating operations in a single 
location could have a range of salutary benefits, including the prospect of synergies 
between and among offices and individuals that derive simply from physical prox- 
imity (through increased daily interactions, etc). In addition to tangible advantages, 
such as the facilitation of communications between and among offices and individ- 
uals, there are likely to be intangible advantages as well, such as a greater sense 



65 


of unity of mission and the boost to morale that may occur as a result of co-location 
(which may engender a greater sense of esprit de corps). 

However, there are a range of factors that may affect the timing of completion 
of the St. Elizabeths project, including of course the current budgetary situation; 
hence it may be some time before the project’s benefits come to fruition. Let me un- 
derscore, though, that future developments should not come at the expense of the 
Department’s operating budget. Having said that, perhaps the most forceful and 
vivid argument in favor of timely completion of the St. Elizabeths project is as fol- 
lows: Just imagine the Department of Defense without the Pentagon, or the CIA 
without the George (H.W.) Bush Center for Intelligence in Langley, Virginia. 

Question 2a. How would you compare the creation and maturation of the Depart- 
ment of Homeland Security to date to that experienced by the Department of De- 
fense in the decade after its establishment? 

Do you believe that now, almost 10 years after its creation, the Department 
should have matured more quickly and its components should be operating more ef- 
fectively and efficiently? 

Question 2b. How much longer is the argument that bringing together so many 
Eederal agencies a legitimate explanation for the Department’s shortcomings? 

Answer. There are certainly some similarities between the Department of Home- 
land Security and the Department of Defense in the context described above (cre- 
ation and maturation a decade after establishment). In both instances, it took time 
to synchronize each of the following — operations, planning, strategy, etc. — from an 
organization-wide perspective. Likewise, both cases evidence the pace at which a co- 
hesive organizational culture takes shape; this is not something that appears or 
grows overnight. 

Notably, for the Defense Department, thinking purple is a mindset and action 
posture that took time to cultivate and instill; and even then, in order to genuinely 
root itself required legislation (the Goldwater-Nichols Department of Defense Reor- 
ganization Act of 1986) and a supporting incentive structure that tied education and 
training, interagency rotations, promotion and professional advancement to 
“jointness.” Given that DHS initiatives in the realm of education and training, for 
example, remain nascent, it is no surprise that there are still some bumps in the 
road when it comes to execution and implementation in an effective and efficient 
manner. On paper and in principle, 10 years may seem like a long time. Yet that 
first decade of DHS’ existence has been marked by unprecedented and almost con- 
stant challenges. The fact that DHS was created at a time of crisis, and also evolved 
in such a climate, suggests that an extended interval may be warranted in order 
to judiciously evaluate its progress. 

Having said that, DHS as an enterprise needs a sharper focus and a greater 
prioritization of its activities, to include more and better alignment of budgets with 
priorities. In addition, DHS has yet to define its Office of the Secretary, writ large. 
Compare the Defense Department, whose counterpart Office for Policy (OSD/Policy) 
for example, serves a robust and genuine Department-wide, cross-cutting function. 
This is the bar which DHS should, and must, aim to reach. 

Indeed, the Defense Department today is the gold standard when it comes to 
plans and planning, after-action reflection, and a range of other matters. Both re- 
gional and functional/thematic approaches to a range of complex challenges are suc- 
cessfully integrated and incorporated into outputs, including budgeting for future 
years. Yet there was a time when DoD’s ability to bring these various pieces to- 
gether so effectively was in some question; and this was so despite the fact that 
military endeavors permit a type of mandating vis-a-vis Service members that civil- 
ian entities do not. The challenge at hand is thus compounded: While DoD is found- 
ed upon the science of command and control, DHS must rely instead on cooperation 
and coordination, and the art of persuasion, to successfully achieve its ends. 

Accordingly, I would submit that DHS remains a work in progress, but one that 
must be evaluated in context, with due regard for the substantial challenges that 
the Department has faced in past, and which it will continue to face in future — in- 
cluding an inhospitable climate of financial austerity, coupled with a rapidly evolv- 
ing threat spectrum that encompasses both cyber and kinetic components. 

Questions Erom Chairman Peter T. King for David C. Maurer 

Question 1. Will you please share your views on the importance of the completion 
of the St. Elizabeths project to the Department’s efforts to consolidate operations 
and its potential impact on the Department’s performance? 

Answer. We have previously reported that consolidation or co-location of Federal 
Government offices or functions — a goal of the St. Elizabeths project — may result in 
several benefits, including more effective and efficient operations. In 2011, we re- 



66 


ported that co-locating services can result in improved communication among pro- 
grams, improved delivery of services for clients, and elimination of duplication.'^ For 
example, programs can be co-located within one-stop centers or electronically linked, 
which affords the potential for sharing resources and cross-training staff. In 2006, 
we reported that DHS’s plans to co-locate its headquarters, its component head- 
quarters, and their respective staffs and operations centers at one location could fur- 
ther enhance collaboration among DHS’s component agencies. ^ DHS has also identi- 
fied that consolidating most of its headquarters operations at St. Elizabeths would 
enhance communication, increase efficiency, facilitate mission integration, and foster 
a “One DHS” culture. 

However, given the constrained budget environment, the future of the St. Eliza- 
beths project is uncertain. In December 2011, DHS estimated the project would take 
4 to 5 years longer to complete and cost about $600 million to $700 million more 
than originally planned, largely due to shortfalls in funding. At that time, DHS esti- 
mated that the project would be completed in 2020 or 2021. In March 2012, DHS 
reported that it was in the process of revising its plan of options for completing the 
St. Elizabeths project, and would continue analyzing options throughout the sum- 
mer. One option, which includes large segments based on the original construction 
plan, would take 6 years longer to complete and cost more than $^700 million more 
than originally planned. Under this option, DHS estimated planned construction 
will be completed in 2022 at an overall cost of about $4 billion. 

In addition, while headquarters consolidation may result in gained efficiencies, 
under DHS’s current plan, not all headquarters offices and components will be lo- 
cated at St. Elizabeths. For example, although all of the Secretary’s office and the 
Federal Emergency Management Agency and the U.S. Coast Guard headquarters 
staff will be relocated, only the headquarters leadership of five major DHS compo- 
nents — U.S. Immigration and Customs Enforcement, U.S. Customs and Border Pro- 
tection, Transportation Security Administration, U.S. Secret Service, and U.S. Citi- 
zenship and Immigration Services — will be moved. Headquarters staff from these 
five components will remain in other locations around the National capital region, 
which limits the potential benefits of consolidation. 

Finally, since the planned completion date of the St. Elizabeths project could be 
10 years in the future, DHS will not reap the planned benefits of consolidation for 
some time. During the interim, we believe DHS should continue to focus on exe- 
cuting its plans for addressing GAO’s designation of implementing and transforming 
DHS as a high-risk issue. Doing so will enhance the management platform for the 
entire Department and better position DHS to carry out its various missions in a 
more efficient and effective manner. 

Question 2a. How would you compare the creation and maturation of the Depart- 
ment of Homeland Security to date to that experienced by the Department of De- 
fense in the decade after its establishment? 

Do you believe that now, almost 10 years after its creation, the Department 
should have matured more quickly and its components should be operating more ef- 
fectively and efficiently? 

Question 2b. How much longer is the argument that bringing together so many 
Federal agencies a legitimate explanation for the Department’s shortcomings? 

Answer. As DHS continues to implement plans to address its long-standing man- 
agement challenges, it can learn from the experience of other departments, includ- 
ing the Department of Defense (DoD). Specifically, since its creation in 1949, DoD 
has worked to unify the Department, enhance its management practices, and foster 
a joint approach to operations and decision making. However, it is also important 
to note that some of DoD’s experiences may not be appropriate for DHS. For exam- 
ple, as of October 2012, 63 years after DoD’s creation, it remains on GAO’s high- 
risk list for seven management-related topics, including financial management, 
weapon systems acquisition, and business systems modernization. In addition, sev- 
eral important aspects of DoD’s organization and approach are devoted to deter- 
rence, combat operations, and other National security missions that, while com- 
plimentary to DHS’s homeland security focus, differ significantly from the day-to- 
day operations and requirements of DHS’s components. DHS can certainly learn 
from DoD’s experience, but should exercise care in appropriately selecting and ap- 
plying those lessons that can be best applied to DHS. 

Prior to DHS’s creation, we reported that building a common, unified Department 
from several legacy agencies represented a significant challenge that would take 


1 GAO-11-92. 
2GAO-07-89. 



67 


several years to achieve.^ This has proven to he the case. DHS has remained on 
GAO’s high-risk list since it began operations in 2003. 

Since its creation, DHS has implemented key homeland security operations and 
achieved important goals in many areas to create and strengthen a foundation to 
reach its potential. DHS has made important progress, particularly on the mission 
side. For example, DHS: 

• Implemented the U.S. Visitor and Immigrant Status Indicator Technology pro- 
gram to verify the identities of foreign visitors entering and exiting the country 
by processing biometric and biographic information; 

• Developed and implemented Secure Flight — a program for screening airline pas- 
sengers against terrorist watch list records — and new programs and tech- 
nologies to screen passengers, checked baggage, and air cargo; 

• Assessed risks posed by chemical, biological, radiological and nuclear threats 
and deployed capabilities to detect these threats; and 

• Created new programs and offices to implement its homeland security respon- 
sibilities, such as establishing the U.S. Computer Emergency Readiness Team 
to help coordinate efforts to address cybersecurity threats. 

But at the same time, our work has identified three key themes — leading and co- 
ordinating the homeland security enterprise, implementing and integrating manage- 
ment functions for results, and strategically managing risks and assessing home- 
land security efforts — that have impacted the Department’s progress since it began 
operations.'^ DHS had successes in all of these areas, but our work found that these 
themes have been at the foundation of DHS’s implementation challenges and need 
to be addressed from a Department-wide perspective. As DHS continues to mature, 
more work remains for it to strengthen the efficiency and effectiveness of those ef- 
forts to achieve its full potential. 

Of particular note, DHS continues to face several management challenges. For ex- 
ample, DHS’s major acquisitions programs face challenges that increase the risk of 
poor outcomes, such as cost growth and schedule delays. Additionally, DHS has 
been unable to obtain an audit opinion on its internal controls over financial report- 
ing due to material weaknesses in internal controls. Further, despite DHS efforts 
to improve employee morale. Federal surveys have consistently found that DHS em- 
ployees are less satisfied with their jobs than the Government-wide average. 

DHS has several initiatives underway that, if fully implemented and sustained, 
could help address the Department’s management challenges. For example, as I 
noted in my September 2012 testimony before this committee, DHS’s Integrated 
Strategy for High-Risk Management identifies 18 key initiatives and corresponding 
corrective action plans for addressing the Department’s management challenges and 
improving operational efficiency through better integration of people, structures, 
and processes. This strategy provides a path for moving DHS from where it is now — 
a large Department with several management challenges — to where it wants to be — 
a unified Department, supported by integrated management functions. DHS must 
now focus on executing the strategy. Doing so is important because building a solid 
management foundation will help DHS carry out its homeland security missions. 

o 


3GAO-03-260. 

^DHS defines the homeland security enterprise as the Federal, State, local, Tribal, territorial, 
non-govemmental, and private-sector entities, as well as individuals, families, and communities, 
who share a common National interest in the safety and security of the United States and the 
American population. 



